September 24, 2003 (Computerworld) — Blaster, Nachi and their variants were worms that attacked a Windows security flaw found on most end-user workstations. Companies that were hit with these worms discovered weaknesses in their architectures, processes and procedures that weren’t considered important until now. I asked some of my colleagues in information security for their comments and
lessons learned. They are summarized here.
How the worm got in
Worms penetrated organizations in several ways. A systems administrator in a branch of the U.S. ilitary described how an employee accessed a personal Web mail account from work, downloaded an infected message and opened the attachment, thereby beginning the spread inside the organization. That user’s antivirus software had to have been disabled, or it had an out-of-date signature file.
A systems analyst at a parts-distribution company told me that contractors brought in their laptops and routinely connected them to the corporate network without IT’s involvement. Some of those laptops had out-of-date signature files or expired antivirus subscriptions, enabling them to become infected while connected to an unprotected home LAN or hot spot.
A help desk employee at a telecommunications company told of laptops that employees took home and connected to their Digital Subscriber Line or cable-modem Internet connections. Their home LANs and laptops were unprotected by firewalls and were scanned and infected, and upon returning to the corporate network, these systems began the spread internally.
Another scenario involved network connections between companies. The parts-distribution company mentioned earlier used router-based virtual private network (VPN) technology to encrypt network traffic between companies. The company on the far end of the VPN link was hit pretty hard with Blaster, filling the VPN connection with Blaster scanning traffic that was then able to begin
infecting systems on the near side of the VPN connection. The trouble in this case was that the VPN connection, while encrypted, didn’t have a firewall. The company permitted all network traffic from the other company to pass unhindered, including Blaster worm scanning traffic.
In all of these cases, antivirus software wasn’t working, was expired or wasn’t updating virus signature files often enough, or at all.
How the worm spread
Once an infected system began scanning for more systems, any systems lacking the security patch and up-to-date antivirus signatures also became infected.
No organizations I talked with had any internal firewalls. As well-known Internet security expert Bill Cheswick used to say, these organizations had networks with soft, chewy centers. Once a worm was inside the organization, there were no internal firewalls to stop its spread. If you have trouble picturing this, then think about why navy ships and submarines have several watertight compartments sealed with bulkheads. A breach in one compartment won’t threaten to sink the ship.
- Organizations need better control over computers they don’t own and other devices being connected to their internal networks. This can be achieved through policy, awareness and enforcement. For example, Dynamic Host Configuration Protocol (DHCP) servers should be made smarter about allocating IP addresses only to systems they recognize and not just any device on the network capable of generating a DHCP request.
- Organizations are learning that the network perimeter exists in many places besides the Internet firewall. Connections to other organizations, and even connections within organizations, also need to have firewalls. Company laptops need to take a little piece of the perimeter with them when they travel outside the corporate firewall. Organizations need to consider installing personal firewall software on laptops to protect them from external threats when they’re connected to the Internet via an unfirewalled home network or hot spot.
- Antivirus software is only as good as its signature files are up-to-date. This can be challenging in large, distributed organizations. Nevertheless, more care over antivirus software and the mechanisms used to update signature files may be in order for many organizations.
- Companies that had scaled back their PC support departments were hit hard because they didn’t have enough resources to disinfect systems quickly. As a result, some companies spent several days trying to keep up with cleaning infected systems and taking calls from users complaining of slow networks. Companies that had outsourced PC support to off-site organizations also felt the pain, since there were no on-site PC technicians to install patches when they needed to be physically present to do so.
While most of these lessons have been best practices for years, I hope organizations that were hit with Blaster or Nachi put these lessons into practice before the next Internet worm makes the rounds.