COLUMN

Zero-day tracker a hit, but IT shops need better strategy

By Bill Brenner 08 Dec 2006 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

It's been getting increasingly difficult to keep track of all the zero-day attacks Microsoft has suffered this year. Two more zero-day flaws surfaced this week -- one in Microsoft Word and the other in Windows Media Player.

So it's no surprise that bloggers are reacting happily to news that Aliso Viejo, Calif.-based eEye Digital Security launched a new zero-day tracker to help IT administrators stay on top of things.

But as some security professionals noted, the tracker won't be of much use unless IT shops already have a system in place to deal with the growing threat.

Ross Brown, eEye's CEO, explained in his blog why the tracker was created and how it works.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com. Recent columns: Oracle answers its security critics Zango defying FTC agreement, researchers say Is the SANS Top 20 still useful?

"As a company that invests [its] primary research in security, we often have a unique perspective that transcends the typical analysis of malware trends or outbreaks," he wrote. That being the case, he added, it made sense to create a site that not only tracks information on zero-day threats but also investigates ways to defend against them.

He said another unique aspect of the site is how the research team dissects the zero-day flaws for exploitability to determine exactly how attackers are using the vulnerability. He said the analysis of the ASX Playlist and ADODB.Connection ActiveX flaws are a good example.

"In the case of the ASX Playlist, this zero-day is being actively used, but it was reported as a denial-of-service attack only," Brown said. "Our research team has investigated the exploit and found it to be remotely exploitable, which is obviously of a higher concern than just a denial-of-service attack."

Brown said the site will never provide proof-of-concept code or materials that would make it easier for attacks to occur. The goal is to investigate what has already been publicly disclosed "to understand the vectors of attack fully and give customers protection strategies."

Like Symantec Corp.'s DeepSight threat monitoring service and the Bethesda, Md.-based SANS Internet Storm Center Web site, blogger Andrew S. Baker wrote in his Talking Out Loud with ASB blog that the zero-day tracker is an example of online resources IT professionals should be taking advantage of.

"These information security resources can go a long way to improving your visibility of threats [and] enabling you to make better determinations of risk for yourself and your environment," he said.

A North Carolina-based blogger who goes by the online name cctech praised eEye for launching the tracker in his Technology, SEO and Web Design blog.

"In hindsight, this is such a great idea and I cannot figure out why no one did this already," he wrote. When mentioning the number of zero-days being tracked to date, he noted that Patch Tuesday is next week and that a few items may be crossed off the list. But, he added, more zero-day flaws may appear the day after Tuesday's patch release, as has been the trend this year.

That being the case, some bloggers lamented the fact that there are companies out there lacking a basic program to confront zero-day threats. Without that, they said, a daily tracker isn't of much use.

"Most organizations wouldn't know how to defend against a zero-day even if they knew about it," Mike Rothman, president and principal analyst of Security Incite in Atlanta, Ga., wrote in his Daily Incite blog. "These folks don't have the right defenses in place, they couldn't develop their own IPS signature [and] basically they are sitting ducks until their vendors update the products."

That, he said, is why a layered security model is so important. He directed his readers to a list of recommended actions security researcher Michael Wright put in his MCW Research blog.

The eEye tracker "is without a doubt a valuable service," Wright wrote. "But I doubt the vast majority of enterprise networks honestly have the resources and infrastructure in place to address zero-day mitigation."

To get there, Wright said IT shops need:

• User policies that are well known, well trained and well enforced;
• A user training program that teaches users how to safely surf, safely check email, etc.;
• Behavior-based NIPS and HIPS;
• An ability to block ActiveX controls enterprise-wide;
• Aggressive, near-draconian firewall rules;
• Patch management procedures that enable fast deployment when a zero-day fix is released; and
• A documented, tested incident response plan.

Tags: Vulnerability Risk Assessment,  Emerging Information Security Threats,  Enterprise Risk Management: Metrics and Assessments,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Vulnerability Risk Assessment What patch management metrics does Project Quant use? Screencast: How to launch an OpenVAS scan Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat Newest malware threats Are Web application penetration tests still important? PCI compliance requirement 6: Systems and applications Cybercrime and threat management Vulnerability Risk Assessment Research Emerging Information Security Threats Best practices for (small) botnets Cybersecurity grant to fund research into critical infrastructure threats RSA security conference 2010: news, interviews and updates Hackers to sharpen malware, malicious software in 2010 Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training Marcus Ranum on cyberwarfare, infosec careers US-CERT warns of BlackBerry snooping software Researchers find thousands of flawed embedded devices Enterprise Risk Management: Metrics and Assessments How to detect and respond to money laundering How to justify information security spending on cloud computing Layoffs prompt insider threat fears, cybersecurity survey finds How to avoid Internet liability lawsuits Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way Bernie Rominski: Communicate Effectively with Management about Risk Best Policy and Risk Management Products Monitoring program data and internal controls for risk management Risk management strategy for an information technology solution provider Align your data protection efforts with GRC Enterprise Risk Management: Metrics and Assessments Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary gray hat  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary