Avoiding Vulnerability to Worms

Matt Curtin discusses Avoiding Vulnerability to Worms in The Columbus Dispatch.

Malicious software ("malware") isn't going away, as has been shown with the recent Sapphire (a.k.a., Slammer) worm that ripped through systems running Microsoft's SQL Server product discovered at the end of January 2003.

In the February 3, 2003 issue of The Columbus Dispatch, "Connect" section editor George Myers, Jr. considers the issue of malware, and asks Interhack founder Matt Curtin what individuals and companies can do to stem the tide of malicious software.

The key to addressing the problem of malicious software, and security more broadly, is really a matter of attitude and dedication to the goal of secure computing. Curtin explains,

First, we need to recognize that the Internet, by connecting everyone to everything, has changed the rules. Now, hostile forces can reach us just as easily as can friendlies. Rather than taking a posture that is predicated on the improbability of being targeted for attack, both consumers and businesses need to recognize that attack is inevitable. The question is now, "Will my systems make it when they're attacked?"

Recognition of this eventuality is important, because it allows us to move away from hoping that bad things don't happen into a more rational position, where we can calmly evaluate what we can reasonably do. Without first recognizing that we ourselves must take action to protect our assets, no amount of advice will help.

Given that recognition, people must decide for themselves and their organizations what exactly they want to allow. Allowing "everything but bad stuff" isn't an option now. We need to allow nothing but what we need. Then we decide what we're doing with these systems and what problems we're trying to solve. This means that we turn off things that we haven't explicitly decided to use.

Another issue that arises from the arms-race nature of this problem is the need to keep working to maintain defenses. As Bruce Schneier says, "Security is a process, not a product." Even that infinitely quotable line, though, is a simplification of reality. Security is a property that can be present in something if we work to maintain it. This means that we not only establish defenses, but we maintain them.

Of course, none of this would have happened with the most recent worm if Microsoft SQL Server had not been vulnerable in the first place. Instead of focusing on more features, and putting more functionality into products, vendors need to make sure that they are working to improve the quality of those products. Vendors will have no incentive to improve quality -- security failures are product failures, after all -- unless consumers and businesses demand systems that will resist the inevitable attack. This means buyers must demand software that is secure out of the box, and vendors must not be allowed to sell software that fails that test.

In a nutshell, the things we need to do to protect our systems are:

  1. Take responsibility for the security of the computers and information in your care. That means home computers, too.
  2. Make a conscious decision to take a secure posture. Build defenses. Use firewalls, intrusion detection systems, anti-virus tools, and other policy-enforcement mechanisms that are available in the products you're using.
  3. Disable things you have not explicitly decided to use. If you're not using it for some specific purpose, it shouldn't be on because at that point, it's just an unneeded worry.
  4. Maintain that defensive posture established in step one. Update your firewall on a regular schedule, make sure you have the latest signatures in your anti-virus and intrusion detection tools, and make sure that you are using the mechanisms available to defend yourself.
  5. Buyers must demand security in their tools by default, and vendors of software must not be allowed to avoid adherence to the highest standards of quality.

More Information

Further reading on malicious software is available from the Interhack Research site. Specifically, one of the first articles discussing the problem of email-based malware can be found there, Why Anti-Virus Software Cannot Stop the Spread of Email Worms. Additionally, the Internet Firewalls FAQ explains the basics of firewall technology and how it works.

About Interhack

Columbus-based Interhack is a provider of a wide variety of advanced computing services, including Information Assurance and Forensic Computing, for clients all over North America.