CHICAGO -- It's been two years since the last big worm outbreak, and that has network administrators anxious. The lack of headlines has lulled users, and even some admins, into complacency. Then there's the fact no one can be sure there isn't killer code already seeping surreptitiously into networks worldwide.
"The next big
Lewandowski's comment was part of a panel discussion Tuesday at Information Security Decisions 2005 called "Winning the War on Worms." The consensus was that while defenses had improved in recent years, progress was tempered by persistent network penetration by older worms like Blaster, Sasser, Slammer and even 2001's Code Red.
And these worms don't even carry a devastating payload. "I really don't think we've seen a well crafted, sophisticated worm" yet, Lewandowski said. Panelist Tom Chmielarski gave a more optimistic view of networks in the wake of worm outbreaks. "I can't say I like them, but they have driven security in the enterprise," the Motorola Inc. information security specialist said.
Even worm categorizations varied, with Adam Powers, a member of network
However defined, both the panelists and audience members, most of whom worked on the frontlines of corporate and university networks, offered some suggestions to mitigate infestations.
Host-based intrusion detection and an IPS at the perimeter. Chmielarski employs this technique at Motorola and admits it's more a monitoring system than true defense mechanism. "But if you catch the threat early enough, you can develop a defense," he said.
- Setting up multiple security domains. This practice of segmenting and isolating subnetworks was not without controversy as some questioned the integrity of VLANs needed to create such separations. But if done correctly and securely, virtual isolation can limit impact to only part of a network.
- Removing default gateways and creating bit buckets. This method forces traffic down prescribed paths that can then traverse IDS, IPS or other tools that scan and scrub packets before they're trashed or sent on to a final destination. This helps gain some control over traffic flowing into a network.
- Limiting local admin access. Reconfigure desktops and laptops to minimize administrative privileges and that will disallow some user behaviors that lead to worm infections. One audience member said he analyzed 700 different worms launched in a nine-month period and concluded only 10% spread through software vulnerability exploitation. The remainder was aided by users who did the wrong thing. Of course, this won't provide much defense against worms that elevate their privileges once inside a network, but it can limit or maybe even eliminate those that write themselves into system directories to propagate.
- Honeypots and honeynets. Creating decoy servers or even networks to divert dark traffic away from productive systems is another option. It's possible to even make the default route lead to the honeypot in order to analyze traffic. How well this works depends on how evasive the worm.
- 'Dark nets.' It's also possible to devote an unused portion of a network to monitor net flow and then analyze for anomalous behavior.
- Quarantines. This involves filtering suspicious code and automatically quarantining a new device or node that tries to access a network. Several audience members said they're using the 802.1x authentication protocol to deny access to rogue devices attempting to infiltrate their networks.
What prevents many enterprises from engaging in any of these tactics is cost, manageability and potential hits to performance. That's one reason that Slammer, Sasser and the other 'old standards' are still going strong. But everyone agreed it's just a matter of time before a significant outbreak forces change. And that time may be sooner, rather than later. "We haven't seen any impact from worms," Lewandowski said. "But there could be something sitting on your machine right now that's just waiting for a command."