 Lessons learned from the Blaster worm
October 4, 2003
SEPTEMBER 24, 2003 ( COMPUTERWORLD ) - Blaster, Nachi and
their variants were worms that attacked a Windows security
flaw found on most end-user workstations. Companies that were
hit with these worms discovered weaknesses in their
architectures, processes and procedures that weren't
considered important until now. I asked some of my colleagues
in information security for their comments and lessons
learned. They are summarized here.
How the worm got in
Worms penetrated organizations in several ways. A systems
administrator in a branch of the U.S. military described how
an employee accessed a personal Web mail account from work,
downloaded an infected message and opened the attachment,
thereby beginning the spread inside the organization. That
user's antivirus software had to have been disabled, or it had
an out-of-date signature file.
A systems analyst at a parts-distribution company told me that
contractors brought in their laptops and routinely connected
them to the corporate network without IT's involvement. Some
of those laptops had out-of-date signature files or expired
antivirus subscriptions, enabling them to become infected
while connected to an unprotected home LAN or hot spot.
A help desk employee at a telecommunications company told of
laptops that employees took home and connected to their
Digital Subscriber Line or cable-modem Internet connections.
Their home LANs and laptops were unprotected by firewalls and
were scanned and infected, and upon returning to the corporate
network, these systems began the spread internally.
Another scenario involved network connections between
companies. The parts-distribution company mentioned earlier
used router-based virtual private network (VPN) technology to
encrypt network traffic between companies. The company on the
far end of the VPN link was hit pretty hard with Blaster,
filling the VPN connection with Blaster scanning traffic that
was then able to begin infecting systems on the near side of
the VPN connection. The trouble in this case was that the VPN
connection, while encrypted, didn't have a firewall. The
company permitted all network traffic from the other company
to pass unhindered, including Blaster worm scanning traffic.
In all of these cases, antivirus software wasn't working, was
expired or wasn't updating virus signature files often enough,
or at all.
No organizations I talked with had any internal firewalls. As
well-known Internet security expert Bill Cheswick used to say,
these organizations had networks with soft, chewy centers.
Once a worm was inside the organization, there were no
internal firewalls to stop its spread. If you have trouble
picturing this, then think about why navy ships and submarines
have several watertight compartments sealed with bulkheads. A
breach in one compartment won't threaten to sink the ship.
Lessons learned
Organizations need better control over computers they don't
own and other devices being connected to their internal
networks. This can be achieved through policy, awareness and
enforcement. For example, Dynamic Host Configuration Protocol
(DHCP) servers should be made smarter about allocating IP
addresses only to systems they recognize and not just any
device on the network capable of generating a DHCP request.
Organizations are learning that the network perimeter exists
in many places besides the Internet firewall. Connections to
other organizations, and even connections within
organizations, also need to have firewalls. Company laptops
need to take a little piece of the perimeter with them when
they travel outside the corporate firewall. Organizations need
to consider installing personal firewall software on laptops
to protect them from external threats when they're connected
to the Internet via an unfirewalled home network or hot spot.
Antivirus software is only as good as its signature files are
up-to-date. This can be challenging in large, distributed
organizations. Nevertheless, more care over antivirus software
and the mechanisms used to update signature files may be in
order for many organizations.
Companies that had scaled back their PC support departments
were hit hard because they didn't have enough resources to
disinfect systems quickly. As a result, some companies spent
several days trying to keep up with cleaning infected systems
and taking calls from users complaining of slow networks.
Companies that had outsourced PC support to off-site
organizations also felt the pain, since there were no on-site
PC technicians to install patches when they needed to be
physically present to do so.
While most of these lessons have been best practices for
years, I hope organizations that were hit with Blaster or
Nachi put these lessons into practice before the next Internet
worm makes the rounds.
|
