Opinion: Zotob - An Avoidable Worm And The Negligence Factor
Computer industry analyst Rob Enderle says the Zotob incident proves that companies have gotten lax with security upgrades and could be heading toward negligence when it comes to network security.
For much of this week we've been tracking the proliferation of the Win32.Peabot—a worm that also goes by the name of Zotob. This attack, like many others, came after the disclosure of an exposure in current versions of Windows that continues to suggest a cause and effect pattern of 'patch-release virus attack.'
This worm has hit a number of high profile sites but, so far, only unpatched Windows 2000 systems have been reported as damaged. This is because the extra work needed to attack an unpatched Windows XP system has delayed, if not prevented, a variant that will attack Windows XP based systems. This suggests, that at the very least, systems with this newer version have a longer grace period before they can be attacked.
Currently the working theory is that the organizations under attack have not protected themselves against laptop computers that, in attacks like this, perform the role of carriers and physically bypass the perimeter security in place in the company to infect other, normally well protected, computers. As with most worms of this type a properly configured firewall will stop the current generation of virus variants cold if the firewall is allowed to perform its function.
What is somewhat scary about this virus incident is that it appears to be a large and growing number of variants each more damaging then the last, making it almost look like there is some type of perverted competition between virus writers to see who can do the most damage. It is important to remember that companies with adequate security surrounding laptop use, and those that follow recommended practices with perimeter protection have likely not been impacted.
The Patching Strategy
This isn’t to say you can avoid patching, particularly for small businesses there is a critical requirement that security patches be applied promptly. We are now down to hours between when a patch is created and someone reverse engineers it to create a virus that exploits the identified exposure. Virus checking products are simply not fast enough as they typically take up to 24 hours to identify a virus, create a response to it, and then distribute that response.
If you are already patched when the virus hits you are generally immunized from the related virus and most if not all of the variants while must virus products still have to be updated for each variant. This is particularly true now that many are specifically written to by pass popular virus checking offerings.
Securing Firewalls And Remote Sites
Firewall ports should be closed by default and only those that need to be open should be open. This latest virus targeted port 445 that is used for file and printer sharing and should never be open on a firewall (this activity, if allowed, should only occur within a company between PCs that never venture out of the perimeter protection currently in place).
What we often forget is that remote offices and employees working from home often drill through firewalls with trusted links like virtual private networks (VPNs). While I personally think VPNs are a really bad idea sometimes, they can’t be avoided and that means this remote site has to be as secure as possible. In effect, if such a link exists, the remote site should be regularly audited to insure it is adequately protected. In most cases this can be done remotely but it still needs to be done regularly.
One product that could help with small offices and home offices is the Eli Managed Broadband Security Appliance . It is a remotely managed firewall, router, and access point with heavy content filtering. It is one of the few affordable products I’ve seen that comes close to affordable and adequate perimeter protection to homes and small offices.
On the physical security front, a common practice in security audits is to go to a remote executive’s site and then penetrate the company’s security from that inadequately protected site. Just because you don’t read about companies being compromised in this way does not mean the events aren’t happening.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.