Theory became reality on Friday, 19 March 2004, at approximately 8:45 p.m. Pacific Standard Time (PST). The Witty Worm began its spread, but this attack was unlike anything seen previously:
- It began to spread the day after the ISS vulnerability was publicized. This represents the shortest known interval between vulnerability disclosure and worm release!
- It was the first widely propagated Internet worm to carry a destructive payload.
- It started in an organized manner, spreading from an initial 'seed' of about 110 hosts. This number grew to 160 in the first 30 seconds.
- It reached its peak (supposedly infecting all vulnerable machines on the Internet) in about 45 minutes.
- It affected systems owned by people who were actively trying to security their computers and network.
How Do We Defend Ourselves?
The patch management model of security our systems is a failure. Now don't misunderstand me. I'm not saying we should not patch our systems; I'm saying we cannot rely on this as a sure defense. In fact, there is no single security measure that will ensure our complete protection. We must employ security countermeasures for every possible avenue of attack.
First and foremost, deploy a defensive perimeter. A firewall is a definite MUST, but don't stop there. Firewalls should only allow traffic which corresponds to tightly defined rules. Include protections such as file attachment filters for email and via web content filtering. Use internal firewalls throughout the corporate network at various segment intersections. Apply appropriate access-control lists (ACLs) on routers and switches. Implement an intrusion detection system (IDS). Deploy anti-virus protection on servers and email gateways.
Inside the perimeter, examine your demilitarized zone (DMZ). Harden all servers, change all default passwords, and disable unnecessary service and protocols. Consider host-based IDS on critical systems. Check account permissions, file permissions, and trust relationships.