Interhack Home
Navigation

Interhack News
Year 2008
Year 2007
Year 2006
Year 2005
Year 2004
Year 2003
2003 Top CAT Nomination
HIPAA Security Solutions
From War Room to Board Room
Educational Background for Information Assurance
Forensic Computing Forum
Confessions of a Hacker
Expert HIPAA Security Training
Common Myths on Common Lisp
Computer Incident Response at INFOSEC Forum IV
Pete Ware Awarded CISSP
Litigation in Cyberspace: Electronic Discovery
HIPAA-SECURITY
PrivacyCon 2003
www.ohiohipaa.org Comes Online
Interhack Brochure Wins Bronze Quill Award
'Anatomy of Online Fraud' Released
Computer Forensic Training
Court Rules on Online Privacy
Law Seeks to Stem Identity Theft
The Key to Fraud Prevention
Is Network Security an Oxymoron?
Ohio Health Information Management Annual Meeting
HIPAA Security HyperRule Released
INFOSEC Forum: Making Security a Team Effort
Patch Panel: How, Why, and When to Patch Systems
Wireless Networks Open Another Avenue for ID Theft
Avoiding Vulnerability to Worms
Interhack sponsors HIPAA Road Map
INFOSEC: Friend or Foe?
Year 2002
Year 2001
 News

Avoiding Vulnerability to Worms

Malicious software ("malware") isn't going away, as has been shown with the recent Sapphire (a.k.a., Slammer) worm that ripped through systems running Microsoft's SQL Server product discovered at the end of January 2003.

In the February 3, 2003 issue of The Columbus Dispatch, "Connect" section editor George Myers, Jr. considers the issue of malware, and asks Interhack founder Matt Curtin what individuals and companies can do to stem the tide of malicious software.

The key to addressing the problem of malicious software, and security more broadly, is really a matter of attitude and dedication to the goal of secure computing. Curtin explains,

First, we need to recognize that the Internet, by connecting everyone to everything, has changed the rules. Now, hostile forces can reach us just as easily as can friendlies. Rather than taking a posture that is predicated on the improbability of being targeted for attack, both consumers and businesses need to recognize that attack is inevitable. The question is now, "Will my systems make it when they're attacked?"

Recognition of this eventuality is important, because it allows us to move away from hoping that bad things don't happen into a more rational position, where we can calmly evaluate what we can reasonably do. Without first recognizing that we ourselves must take action to protect our assets, no amount of advice will help.

Given that recognition, people must decide for themselves and their organizations what exactly they want to allow. Allowing "everything but bad stuff" isn't an option now. We need to allow nothing but what we need. Then we decide what we're doing with these systems and what problems we're trying to solve. This means that we turn off things that we haven't explicitly decided to use.

Another issue that arises from the arms-race nature of this problem is the need to keep working to maintain defenses. As Bruce Schneier says, "Security is a process, not a product." Even that infinitely quotable line, though, is a simplification of reality. Security is a property that can be present in something if we work to maintain it. This means that we not only establish defenses, but we maintain them.

Of course, none of this would have happened with the most recent worm if Microsoft SQL Server had not been vulnerable in the first place. Instead of focusing on more features, and putting more functionality into products, vendors need to make sure that they are working to improve the quality of those products. Vendors will have no incentive to improve quality -- security failures are product failures, after all -- unless consumers and businesses demand systems that will resist the inevitable attack. This means buyers must demand software that is secure out of the box, and vendors must not be allowed to sell software that fails that test.

In a nutshell, the things we need to do to protect our systems are:

  1. Take responsibility for the security of the computers and information in your care. That means home computers, too.
  2. Make a conscious decision to take a secure posture. Build defenses. Use firewalls, intrusion detection systems, anti-virus tools, and other policy-enforcement mechanisms that are available in the products you're using.
  3. Disable things you have not explicitly decided to use. If you're not using it for some specific purpose, it shouldn't be on because at that point, it's just an unneeded worry.
  4. Maintain that defensive posture established in step one. Update your firewall on a regular schedule, make sure you have the latest signatures in your anti-virus and intrusion detection tools, and make sure that you are using the mechanisms available to defend yourself.
  5. Buyers must demand security in their tools by default, and vendors of software must not be allowed to avoid adherence to the highest standards of quality.

More Information

Further reading on malicious software is available from the Interhack Research site. Specifically, one of the first articles discussing the problem of email-based malware can be found there, Why Anti-Virus Software Cannot Stop the Spread of Email Worms. Additionally, the Internet Firewalls FAQ explains the basics of firewall technology and how it works.

About Interhack

Columbus-based Interhack is a provider of a wide variety of advanced computing services, including Information Assurance and Forensic Computing, for clients all over North America.

 
Contact Privacy Policy (c) 2001-2008 Interhack