Virus attack reveals flaw in network security strategies

[InfoSec News <isn () c4i org>]

http://www.nandotimes.com/technology/story/736677p-5363306c.html

By ANICK JESDANUN, 
AP Internet Writer

NEW YORK (January 26, 2003 4:20 p.m. EST) - The latest virus-like
attack on the Internet exposes more than a software flaw: The very
strategy managers of computer networks typically adopt for security
has proven inadequate.

As network technicians continued Sunday to repair damages caused by
the fast-spreading worm, government and private security experts
worried that too many security managers are fixing problems as they
occur, then moving on until the next outbreak.

The worm that crippled tens of thousands of computers worldwide,
congested the network for countless others and even disabled Bank of
America cash machines Saturday took advantage of a vulnerability in
some Microsoft Corp. software that had been discovered in July.

Microsoft had made available the software updates needed to patch the
vulnerability in its SQL Server 2000 software - but many system
administrators had yet to install them.

"There was a lot that could have been done between July and now," said
Howard A. Schmidt, President Bush's No. 2 cybersecurity adviser. "We
make sure we have air in our tires and brakes get checked. We also
need to make sure we keep computers up-to-date."

Saturday's worm sought out the flaw in SQL, a database product used
mostly by businesses and governments.

Once the worm found one, it infected that computer and from there
continued seeking other victims by sending out thousands of probes a
second, saturating many Internet data pipelines.

Unlike most viruses and worms, the latest spread directly through
network connections and did not need e-mail as a transmitter. Thus,
only network administrators who run the servers, not end users, could
have done anything to remedy the situation.

According to Keynote Systems Inc., which measures Internet reliability
and speed, network congestion increased download times at the largest
U.S. Web sites by an average of 50 percent, and some sites were
completely unavailable at times Saturday.

Most services and sites were restored by Saturday evening, and
security experts said Sunday that the problem was largely under
control, though some worried of lingering infections when businesses
reopen Monday.

The FBI said Sunday that the attack's origins were still unknown.

Bruce Schneier, chief technology officer at Counterpane Internet
Security, said the latest attack proves that relying on patches is
flawed "not because it's not effective, but many don't do it."

Code Red and Nimda, two of the previous major outbreaks, also
exploited known problems that had patches available.

But with more than 4,000 new vulnerabilities reported last year,
according to the government-funded CERT Coordination Center at
Carnegie Mellon University, system administrators can have trouble
keeping up.

Vendors have mechanisms for notifying customers, but patches take time
to install and could disrupt other systems and applications. Schmidt
said many networks delay installing patches to fully test them first.

Russ Cooper, a security analyst at TruSecure Corp., said patches are
also complicated, and applying them out of order can undo an earlier
fix.

Microsoft spokesman Rick Miller said the company is working with
network professionals to develop better tools, including ones to
automatically scan systems for known vulnerabilities.

Preventing the next outbreak, security experts say, will mean
rethinking security. Favored approaches range from getting vendors to
make better software to paying private companies more money to handle
the brunt of the work.

Microsoft, for one, has already pledged to improve its products. Just
two days before the attack on its software, Microsoft chairman Bill
Gates sent out an e-mail outlining such improvements as better support
for "smart cards" to replace or augment computer passwords.

Company executives have also said they want to make security updates
automatic so users could grant permission once and have multiple
patches installed over the Internet whenever needed. Network managers,
however, worry that such automation could inadvertently introduce
problems for other applications.

Carnegie Mellon's Software Engineering Institute is among research
centers working on improving security before software is shipped -
lessening the need for patches, said Brian King, Internet security
analyst at Carnegie's CERT center.

Security companies that stand to profit are pushing for more financial
commitment.

"If you're paying someone to go out and be an advance tech support guy
and hover in your network and hit the switches at the right time, it's
going to cost money," said David Perry of anti-virus vendor Trend
Micro. "But since there is a need for this, it is cost-effective to be
proactive."

Schneier's Counterpane has an intrusion detection service for
containing damages once a threat is identified, while SecurityFocus
sends out alerts to help network managers prioritize.

George Kurtz, chief executive of security company Foundstone Inc.,
said anti-virus and firewall products are no longer enough.

"Security is a journey, not a destination," he said. "It needs
continuous care and feeding like a child."

AP Technology Writer Ted Bridis contributed to this story from
Washington.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.