- It began to spread the day after the ISS vulnerability was publicized. This represents the shortest known interval between vulnerability disclosure and worm release!
- It was the first widely propagated Internet worm to carry a destructive payload.
- It started in an organized manner, spreading from an initial 'seed' of about 110 hosts. This number grew to 160 in the first 30 seconds.
- It reached its peak (supposedly infecting all vulnerable machines on the Internet) in about 45 minutes.
- It affected systems owned by people who were actively trying to security their computers and network.
How Do We Defend Ourselves?
The patch management model of security our systems is a failure. Now don't misunderstand me. I'm not saying we should not patch our systems; I'm saying we cannot rely on this as a sure defense. In fact, there is no single security measure that will ensure our complete protection. We must employ security countermeasures for every possible avenue of attack.
First and foremost, deploy a defensive perimeter. A firewall is a definite MUST, but don't stop there. Firewalls should only allow traffic which corresponds to tightly defined rules. Include protections such as file attachment filters for email and via web content filtering. Use internal firewalls throughout the corporate network at various segment intersections. Apply appropriate access-control lists (ACLs) on routers and switches. Implement an intrusion detection system (IDS). Deploy anti-virus protection on servers and email gateways.
Inside the perimeter, examine your demilitarized zone (DMZ). Harden all servers, change all default passwords, and disable unnecessary service and protocols. Consider host-based IDS on critical systems. Check account permissions, file permissions, and trust relationships.
Internal systems need the same level of consideration as external-facing systems. Ensure all workstations are running anti-virus software. All workstations should be hardened, too. Make user end-users have the knowledge and awareness necessary to help protect your environment through regularly scheduled Security Awareness Training. Enforce the use of cryptographically strong passwords. Discourage the use and downloading of unauthorized software and perform regular audits to check for these things.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.