Lessons learned according to Cooper: "What Slammer showed us more than anything was the need to embrace more basic controls, such as "Default Deny". There's little reason to expose the SSRS to the Internet without any restrictions. Some hosting providers have argued that their customers required access to the service and, therefore, they exposed it directly to the Internet. While this might seem reasonable, the additional cost of locking down such connection points to, at least, an identifiable IP address range surely couldn't put them out of business compared to the risks they put the entire Internet at. Of course the same holds true for businesses, but there the problem was more of a problem with the "Default Installation". We have long known that default installations are inherently insecure. Knowing what you're installing, and installing only what you know, are crucial to achieving baseline security. The habit of simply accepting the defaults and no additional steps is yet another reason problems like this occur."

"Another aspect of "Default Deny" is the enforcement of *Outbound* rules as well as inbound. Habit says that inbound is what we fear, yet outbound is left entirely untouched. Slammer demonstrated just how harshly such a policy can affect the Internet. There was no reason for those systems to initiate connections outbound on UDP 1434, even if we accept there was a need to allow the inbound connections from other infected hosts. Ergo, had such rules been in place, machines would have gotten infected but would not have propagated the worm." Cooper added.

Why don't we patch?


Earlier this year, Craig Fiebig, general manager of Microsoft's security business unit told vnunet that "Providing reliable, easy-to-install patches is expensive and troublesome". I asked Cooper what he thought on the subject and he said: "Of course patching remains a very complex, time-consuming, and difficult task. The tasks required to ensure continued operation through any upgrade or patch application are not likely to be employed by most. Testing, preferably in an environment not directly connected to your production network, with sufficient replicated servers to accurately gauge the results, is expensive and resource intensive. Couple that with frequent releases of newer patches replacing ones you just tested, and it gets a bit much for the average business. Consumers may be better able to blindly accept new updates, but companies certainly can not, and should not, rely entirely upon the presence of a patch as the determining factor as to whether to install it."

Patching is an enormous issue according to Ed Skoudis. He notes that: "Unless we all deploy patches, our systems will continue to be massively vulnerable. I wholeheartedly expect to see several major new vulnerabilities discovered in 2004, with the subsequent (or even prior!) release of worms to exploit them. Therefore, we've got to press the vendors to release _good_ patches quickly, and we must deploy them."

"Happily, applying patches to end user desktop/laptop systems now is easier than ever, with new patch distribution sites available from Microsoft, Debian, and a variety of other vendors. Once a user realizes how painless it is to patch their desktop/laptop system once, I am hopeful that they will return frequently and keep their systems up to date. I do expect end-user awareness of this issue to increase in 2004." he added.