Databus Issue: 2004 3 07/30/2004
Protecting Your Network From a Zero-Hour Attack
Rob McCarthy President.
PDF
The past year has not been a good one for network security. The SQL Slammer worm caused widespread outages by exploiting a known defect in Microsoft’s SQL server. The MS Blaster worm is still causing problems in networks six months after the first attack. The Nachi or Welchia worm exploited the same flaw as MS Blaster and, in many ways, was worse because of the way it pinged a network to death. Then, there was a list of e-mail exploits that lured gullible users into becoming unwitting agents of destruction such as Sobig.A through Sobig.F (and still counting), Mimail.A through Mimial.N, and others.
This has left the computer security industry with some explaining to do. What good are firewalls and anti-virus software if some unknown hacker can still turn your users’ PCs into e-mail relays for spamming the Internet with pornography?
And, here is the scariest fact of all—every worm or virus, this last year, used vulnerabilities that were well known at the time and had vendor patches available to fix the problem. What happens if there is a zero-hour attack—a completely unknown vulnerability that is exploited by a quickly replicating worm or virus to flood the entire Internet within minutes? This is the nightmare of network administrators everywhere.
So, what can we do about the problem? The normal responses of security experts didn’t seem to really help all that much. Here is the list of common recommendations for a good security policy, and why they failed:
Common Security Recommendations
Install all the latest vendor software updates. I have always checked the Windows Update site for the latest patches for my operating system, yet the Slammer worm nailed me. I had thought Microsoft was updating security for all of its products from Windows Update. I hadn’t even considered that the MSDE version of SQL Server I use could be attacked successfully. And, apparently I wasn’t the only one, as the same vulnerable MSDE SQL was used by Visio, Cisco, McAfee and many others.
Configure the firewall to allow only the essential traffic in and out of the network. This is a good idea, but this didn’t stop any of the big attacks this last year. In fact, many networks got hammered with MS Blaster by notebook PCs that were carried into the inside network and plugged in, bypassing the security at the firewall completely.
Keep virus definitions up to date. Well, duh. This didn’t stop the SQL Slammer worm, since the worm itself was never written to disk. And, virus definitions are reactive. Someone has to get infected first, then an anti-virus company gets a copy of the virus (probably from the Internet), and the anti-virus company produces a virus signature, and then distributes it across the Internet! I guess the hope is that someone else gets infected first and then you get the virus signature from the anti-virus company before the rest of the Internet melts down.
Use intrusion detection software at the network border. The basic flaw with intrusion detection is that it tells you are in trouble, but it doesn’t do anything to stop the attack. It’s like having a police officer tell you that you are being mugged, instead of arresting the mugger.
What to do to stop a zero-hour attack? At Lightspeed Systems, we decided to start writing some software. This is good for us because we sell software and this is good for our customers because they are protected. The wonders of capitalism! Therefore, I think the best thing you can do is write a check to us! Hooray for everybody!
Seriously, here are the steps we took and some alternatives you can use:
Effective Security Recommendations
Use Intrusion Prevention at the gateway and on each desktop. Our gateway Intrusion Prevention software stops known attacks going in or out of your network. Many other commercial products do this and there is a terrific open source Intrusion Detection product called “Snort.” On the desktop, there are not as many choices. Besides our software, I know about products from Cisco, Symantec, and Internet Security Systems.
Use file integrity checking. File integrity checking tells you if the software you’ve installed on your network is actually what it is supposed to be. There are lots of free utilities to do this, with Tripwire being the most famous. The traditional way to use file integrity checking is to figure out what has been recently changed on a PC, so when things go desperately wrong you can try to back out the latest changes.
Run new or unknown software in a sandbox. Our software extends file integrity checking by making unknown software run in a “sandbox.” In our sandbox, new or unknown programs are not allowed to do the following things:
• Talk on the network
• Write to a network share
• Write to another .exe or .dll file
• Write to another processes’ memory
• Modify important registry entries.
This stops all viruses or worms from propagating, except for buffer overrun worms. Cisco has a product that does something similar. I don’t know of any open source alternatives.
Another way to have a sandbox is by using Microsoft’s Active Directory to keep users from installing anything new. New software is carefully checked by the network administrator before it is installed on the rest of the network, in effect making the network administrator’s PC the sandbox. Some networks are very successful with this approach.
Use heuristic and signature based anti-virus software. Most networks are already doing this. We added one very important feature to traditional anti-virus software—the ability for our customers to easily create their own virus signatures and distribute them throughout their network. Therefore, if you decide you don’t want the latest peer-to-peer software running in your network, you can make a virus signature that completely blocks it with a few keystrokes.
Monitor all the running processes in your network. I honestly don’t know of any other products that do this as extensively as our software. We watch all the running processes everywhere in the network, monitoring everything that Task Manager does on a single PC, plus keeping track of what each process does on the network. SysInternals does have free software that does some of this. These utilities are TcpView, Filemon, and TDIView. BTW, I love SysInternals.
Install Windows XP Service Pack 2 when it is released by Microsoft. Whenever this is finally released, it will help a lot. Microsoft has promised that this service pack will, once and for all, stop buffer overrun worms and viruses. Oh, be still my beating heart!
A link you may find useful is http://www.lightspeedsystems.com/cetpa.
Rob McCarthy is president of Lightspeed Systems. He can be reached at
rob@lightspeedsystems.com.
