Free benchmark could have found Slammer vulnerability

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/holes/story/0,10801,78063,00.html

By DAN VERTON 
JANUARY 31, 2003

Not only could companies have easily slammed the door on the Slammer
worm if they had installed the patch released by Microsoft Corp. six
months ago, but they could also have uncovered the vulnerability
exploited by the worm using a free benchmark developed jointly by the
government and private sector.

Industry experts and users said the Slammer worm should have been a
nonissue for companies because the patches and a free tool capable of
detecting the vulnerability exploited by the worm were available six
months ago. That's important because it would have given companies
advance warning that they were vulnerable and more time to test the
patch, said users.

In particular, they point to the issuance in July of the Consensus
Minimum Security Benchmarks, also known as the Gold Standard.  
Developed jointly by five federal agencies, including the National
Security Agency (NSA) and the FBI's National Infrastructure Protection
Center, as well as the SANS Institute and the Center for Internet
Security (CIS), the Gold Standard benchmark can be used to test
Windows 2000 Professional systems running as workstations for proper
configuration.

Alan Paller, director of research at SANS, said an NSA study of the
benchmark concluded that by running it on a network a company could
eliminate more than 90% of known vulnerabilities. And the
database-specific vulnerabilities exploited by the Slammer worm would
have been among those found, he said.

Pat Hymes, vice president of Corporate Information Security at
Wachovia Corp., a CIS member company based in Charlotte, N.C., said
properly configured servers are an absolute necessity for security.  
But maintaining service packs and "hot fixes" can be a challenge for
any organization.

"It can take a great deal of time and energy to download, test and
implement service packs and hot fixes, especially in large
organizations, where they can impact hundreds of applications and
thousands of servers," said Hymes. "Software companies, like
Microsoft, have to accept more accountability for this situation. The
total cost of ownership for servers running some of these distributed
OSs, databases and Web software [is] going through the roof due to the
manpower being expended to maintain patches and respond to events like
the SQL Slammer worm."

Hymes added that the Gold Standard benchmark serves as an "excellent
baseline" for security testing. And because it's available for free,
"there's no reason not to use it."

The challenge remains awareness, said Clint Kreitner, president of
CIS, a Hershey, Pa.-based nonprofit security standards consortium of
more than 170 companies. "We continue to fight an uphill battle
getting the message out to organizations that competent security
configuration and up-to-date patching is one thing that everyone can
and should do to make a huge difference in making their systems more
secure," Kreitner said.

Maurice Rieffel, an IT security analyst at a major energy company in
Louisiana, said, for example, that he was aware of the benchmark but
didn't know it tested for the SQL database vulnerability exploited by
Slammer.

Claude Bailey, an IT security analyst at one of the nation's largest
financial management firms, said that while the Gold Standard is a
good starting point, his security administrators say the problem isn't
in detecting the vulnerability but in deploying the patches and fixes
across an organization of 50,000 employees -- and guaranteeing that
the patch won't cause more problems.

"We tested the original patch [for the SQL vulnerability], and it had
problems," said Bailey. Now, with the financial firm in the middle of
tax season, there's too much to lose to deploy patches that break
other parts of the network. As a result, the company has placed a
freeze on any such maintenance until tax season is over.

Roger Davis, an IT auditor at a global skin and body care products
company in Utah, said a few hours upfront using the Gold Standard
would have saved many companies hundreds of man-hours later.

Said Bailey, "If you decide not to patch something, you're dead."




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.