- Deploy AV throughout the enterprise. Most organizations deploy AV tools solely on desktops and laptops. A solid AV strategy involves AV on end-user systems, mail servers and file servers. Most AV vendors quickly release signatures that detect and eradicate the latest malware. For particularly fast-spreading malware, though, AV isn't enough. Signatures take time to develop, download and deploy. We must do more.
- System hardening and patching is essential. We've heard this a million times, yet many systems continue to be deployed with minimal security. With combo malware on the way, it's time to get serious about creating secure systems.
A sound baseline is critical for building and maintaining secure operating systems. Stephen Northcutt of the SANS Institute, urges organizations to maintain standardized machines to simplify patching and change control.
Before bringing a system online, apply all relevant patches and harden the configuration. The Center for Internet Security offers free hardening tools, benchmarks and assessment scoring tools for a variety of systems, including Windows 2000, Linux, Solaris, HP-UX, Cisco IOS and Oracle.
- Be a good 'Netizen. Lax outgoing rules could turn you into the Typhoid Mary of the Internet. In addition to protecting your own systems, you can take steps to prevent your networks from infecting others on the Internet.
First, limit all outgoing connections from publicly available systems, such as Web, DNS, e-mail and FTP servers. Once a worm takes over a system, it often attempts to spread through outgoing connections to scan for new victims. Use a border router or external firewall to block all outgoing connections that don't serve a specific business need. Allow only responses (also known as established packets) from your Web server to go out to the Internet. If you must initiate outgoing sessions, allow them only to those IP addresses that are essential.
Think about it: Your Web server needs to respond to users requesting pages, but does it ever need to initiate connections to the Internet? The answer is likely "no," so block them.
In addition, employ egress antispoofing filters. Many worms and DoS agents spoof the source address to confuse tracing efforts. If any of your DMZ servers start spewing traffic with IP addresses not assigned to your network, egress antispoofing filters at your border firewall or router will drop the malicious packets.
- Create (or update) a comprehensive incident response plan and team. Your IR team should include computer security, physical security, computer operations, network operations, legal, HR and public affairs representatives. The team should meet quarterly and walk through hypothetical computer attack scenarios to make sure everyone understands their response role. In particular, cover scenarios involving combo-malware attacks.
Make sure you, or someone on the team, has the authority to isolate portions of your operation to contain proliferating malware. At some point, you may have to pick up the phone and say, "Disconnect our operation in the Philippines from the WAN, or our whole internal network will go down!" Even worse, you may have to temporarily disconnect your operation from the Internet so you can sit out a giant worm episode. Make sure your network management team is standing by in case you have to make the call.
- Identify internal network choke points in advance. Work with your network management team to identify routers and firewalls you can use as internal network choke points, where you can deploy filters to restrict an internal contagion. Don't wait for malware to start spreading before you identify these choke points. Develop sample filters for arbitrary TCP and UDP ports, as well as different ICMP types, so you can quickly adapt and apply them during an emergency.
Article 3 of 15Next Article
This was last published in November 2003