Opinion: Zotob - An Avoidable Worm And The Negligence Factor - InformationWeek
02:08 PM
Rob Enderle
Rob Enderle
[Dark Reading Crash Course] Finding & Fixing Application Security Vulnerabilitie
Sep 14, 2017
Hear from a top applications security expert as he discusses key practices for scanning and securi ...Read More>>

Opinion: Zotob - An Avoidable Worm And The Negligence Factor

Computer industry analyst Rob Enderle says the Zotob incident proves that companies have gotten lax with security upgrades and could be heading toward negligence when it comes to network security.

For much of this week we've been tracking the proliferation of the Win32.Peabot—a worm that also goes by the name of Zotob. This attack, like many others, came after the disclosure of an exposure in current versions of Windows that continues to suggest a cause and effect pattern of 'patch-release virus attack.'

This worm has hit a number of high profile sites but, so far, only unpatched Windows 2000 systems have been reported as damaged. This is because the extra work needed to attack an unpatched Windows XP system has delayed, if not prevented, a variant that will attack Windows XP based systems. This suggests, that at the very least, systems with this newer version have a longer grace period before they can be attacked.

Currently the working theory is that the organizations under attack have not protected themselves against laptop computers that, in attacks like this, perform the role of carriers and physically bypass the perimeter security in place in the company to infect other, normally well protected, computers. As with most worms of this type a properly configured firewall will stop the current generation of virus variants cold if the firewall is allowed to perform its function.

What is somewhat scary about this virus incident is that it appears to be a large and growing number of variants each more damaging then the last, making it almost look like there is some type of perverted competition between virus writers to see who can do the most damage. It is important to remember that companies with adequate security surrounding laptop use, and those that follow recommended practices with perimeter protection have likely not been impacted.

The Patching Strategy

This isn’t to say you can avoid patching, particularly for small businesses there is a critical requirement that security patches be applied promptly. We are now down to hours between when a patch is created and someone reverse engineers it to create a virus that exploits the identified exposure. Virus checking products are simply not fast enough as they typically take up to 24 hours to identify a virus, create a response to it, and then distribute that response.

If you are already patched when the virus hits you are generally immunized from the related virus and most if not all of the variants while must virus products still have to be updated for each variant. This is particularly true now that many are specifically written to by pass popular virus checking offerings.

Securing Firewalls And Remote Sites

Firewall ports should be closed by default and only those that need to be open should be open. This latest virus targeted port 445 that is used for file and printer sharing and should never be open on a firewall (this activity, if allowed, should only occur within a company between PCs that never venture out of the perimeter protection currently in place).

What we often forget is that remote offices and employees working from home often drill through firewalls with trusted links like virtual private networks (VPNs). While I personally think VPNs are a really bad idea sometimes, they can’t be avoided and that means this remote site has to be as secure as possible. In effect, if such a link exists, the remote site should be regularly audited to insure it is adequately protected. In most cases this can be done remotely but it still needs to be done regularly.

One product that could help with small offices and home offices is the Eli Managed Broadband Security Appliance . It is a remotely managed firewall, router, and access point with heavy content filtering. It is one of the few affordable products I’ve seen that comes close to affordable and adequate perimeter protection to homes and small offices.

On the physical security front, a common practice in security audits is to go to a remote executive’s site and then penetrate the company’s security from that inadequately protected site. Just because you don’t read about companies being compromised in this way does not mean the events aren’t happening.

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll