So Many Worms, So Little Time
by Randy M. Nash - @RISK Online - Monday, 11 October 2004.
Internal systems need the same level of consideration as external-facing systems. Ensure all workstations are running anti-virus software. All workstations should be hardened, too. Make user end-users have the knowledge and awareness necessary to help protect your environment through regularly scheduled Security Awareness Training. Enforce the use of cryptographically strong passwords. Discourage the use and downloading of unauthorized software and perform regular audits to check for these things.

Develop two critical response protocols. The first of these is a process to assess new threats, determine the vulnerability of your environment, and then develop countermeasures to provide protection until appropriate patches can be applied. If you are vulnerable, consider the following:
  • Can the attack be stopped at the perimeter? Can the protocol be disabled? Can the ports be blocked by firewalls/routers?
  • If the particular service is critical and cannot be shut down, blocked, or disabled then can the service be moved to another, non-vulnerable system? This is a good argument for diversity. If possible, move from a vulnerable platform to one that is not vulnerable to Linux). True, this requires more overhead for maintenance and administration, but diversity means flexibility.
Next, develop an Incident Response Protocol. You need to know, in advance, how you will need to respond when a system has been compromised. Determine how to quickly identify compromised system and remove them from the network. Response time is critical because even a small number of compromised systems can quickly spread and cause disruptions. Consider the following questions:
  • Can the compromise be identified by monitoring traffic patterns?
  • What about bandwidth utilization?
  • Does the attack open up a backdoor that can readily be identified?
  • Once a compromised system has been identified, what's next?
  • Will you take the system offline?
  • Will you cordon off that network segment to prevent the infection from spreading?
  • How will you contact external support of the network is down?
  • Do you have out-of-band management capabilities?
  • If the infection is spread via email, can you quickly block attachments at your mail gateway?
  • Will you shut down your mail gateway?

There is no single security countermeasure, or silver bullet, that can protect our networks completely. Over time the threats have grown in both number and complexity, while the timeframe for response has been shortened dramatically. Previous successful attacks have shown that even those who are well protected and have large budgets and resources can be compromised. We need to be constantly alert, tracking the latest vulnerabilities, and monitoring the health and performance of our networks. Finally, we must have a plan of action in place, with a well trained staff ready to respond at the drop of a hat.

Don't Panic... Prepare!


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th