http://www.computerworld.com/securitytopics/security/holes/story/0,10801,104092,00.html By Jaikumar Vijayan AUGUST 22, 2005 COMPUTERWORLD The speed at which hackers are taking advantage of newly disclosed software flaws should be prompting companies to adopt stronger measures for dealing with such vulnerabilities, according to IT managers and analysts. Several security experts last week said that IT departments need to look beyond just patching defects and devise broader and more holistic strategies to defend themselves against attacks seeking to quickly exploit new flaws. The advice comes in the wake of an onslaught of worms that targeted a flaw in a plug-and-play component of Windows 2000. The worms hit several large companies, including The New York Times Co., Cable News Network LP, Caterpillar Inc., DaimlerChrysler AG and General Electric Co., when hackers made use of the hole disclosed less than a week earlier by Microsoft Corp. as part of its monthly patch release. The rapid exploitation of the Windows 2000 vulnerability left some IT managers acutely aware of the need to be vigilant about keeping their systems up to date. "We are going to have to fast-track the latest security upgrades, maybe the same day, unfortunately," said Satish Ajmani, CIO of California's Santa Clara County. "It is scary." The trend has prompted Uline Inc. to accelerate its patching of desktops and servers, said Robert Olson, a systems administrator at the Waukegan, Ill.-based distributor of packing and shipping materials. The Windows 2000 bugs caused infected systems to restart repeatedly and could allow remote attackers to take control of compromised systems. According to vendors of antivirus software, the malware targeted only older, Windows 2000-based systems. Although none of those 11 or so worms are considered particularly serious by most security experts, they serve as a sobering illustration that hackers can take advantage of new flaws before many companies can patch them, said John Pironti, a principal security consultant at Unisys Inc. in Blue Bell, Pa. "I think these attacks show that there is still a fair bit of latency" between patch release and deployment in a lot of companies, agreed Fred Rica, a partner at PricewaterhouseCoopers in New York. "Hackers have adopted new attack techniques," Pironti said. "Instead of going out and looking for vulnerabilities on their own, they are waiting for patches to be released to see what holes are being fixed." Then they go after those holes as quickly as they can, he said. The trend could leave many companies dangerously exposed, especially large ones that typically test and analyze patches before deploying them, Pironti said. "They have to assume that they are going to be vulnerable to attack from the moment a patch is out," he said. "They need to have countermeasures in place while the patches are tested" and deployed. Enterprises should look at implementing the equivalent of the color-coded threat system used by the U.S. Department of Homeland Security when dealing with newly disclosed flaws, said Dave Jordan, chief information security officer for the government of Arlington County, Va. Once new flaws are disclosed, Jordan said, IT security personnel "should conduct business differently than they would day to day." They need to implement countermeasures as soon as possible to mitigate risk, he said. Measures can include conducting thorough threat analysis, gaining an understanding of specific risks of new flaws, shutting down systems where possible, blocking access to affected ports and using intrusion-detection and -prevention systems to monitor for unusual activity and network behaviors, security experts said. A vast majority of worms and viruses, including those launched this week, use common methods and take advantage of common flaws—such as buffer overflows—to attack vulnerable systems, said Thor Larholm, a senior security researcher at PivX Solutions Inc. in Newport Beach, Calif. Instead of relying solely on patches to fix every new flaw, it's better to address some common underlying vulnerabilities, he said. "There are multiple ways to protect against entire classes" of vulnerabilities without having to apply patches for each one, he said. PivX is one of several vendors, including Immunix Inc. and eEye Digital Security, that sell tools to repair generic buffer overflows in the absence of vendor patches. "About 90% of the worms out there can be mitigated just by hardening your systems," Larholm said. For instance, disabling so-called null-session accounts, which are enabled by default on Windows 2000 systems, would have prevented this week's worms from taking advantage of the plug-and-play flaw, though it is not always practical, he said. _________________________________________ Attend ToorCon Sept 16-18th, 2005 Convention Center San Diego, California www.toorcon.org
This archive was generated by hypermail 2.1.3 : Tue Aug 23 2005 - 11:26:21 PDT