Various iterations of the Nimda virus have slowed its propagation around the world after causing havoc on resource-constrained IT organizations.
Recently, businesses have been focused on other priorities, such as recovering from the tragic events of September 11, or simply trying to remain in business during difficult economic times. As such, few organizations were fully prepared for the Nimda outbreak and were forced to scramble in order to prevent systems from being attacked and to remove infected systems from networks to stop Nimda's propagation.
Today, many businesses are assessing their critical response procedures and areas of vulnerability, and attempting to determine the costs of the latest attack. Many of the past year's attacks have been email based, targeting the weak or incorrect security settings of the desktop user, and un-patched infrastructure components and off-the-shelf applications. It is apparent that expecting an entire staff to patch their own systems or having administrators patch each individual system is getting increasingly difficult. It does not have to be this way.
During the past few years, applications have been designed to automatically do more for the user. Unfortunately, that means that harmful code may also be automatically executed. Yes, there are precautions that organizations can require each employee to follow, but without the resources to oversee the modifications, users have failed to perform the requested tasks and have become complacent regarding their organization's digital security posture. Often, employees believe that they are able to 'spot' a virus, or 'trust' outside users. However, by simply relying upon these precautions businesses may be placing their brand, intellectual property, and customer data at risk. Is this acceptable?
What Can Your Organization Do?
Follow your hardware and software manufacturer's recommendations on security settings and keep up to date on your virus protection package. Not so easy - right? With the reduction of staff and resources, often it is not practical or possible to keep each system up to date. However, by adopting the following best practices, your organization can regain control of its network from outside users without having to manually touch each internal system. This, in turn, gives IT staff more time to complete the distribution of security patches and upgrade hosts.
Block harmful email attachments
Since email has been the most common method of attack, organizations should take some time now to review their individual email business requirements. Does your staff really need the ability to receive executable content via email? Many vendors have publicly stated that they will not send out executable attachments to customers in order to prevent someone else masquerading as the vendor. Instead, most vendors request that customers go to their web site and download the update or attachment. Do not create your policy based upon the exceptions, but rather on the norm. If most of your users do not require executable content to be sent to them, block, filter or strip these harmful attachments as soon as they are received from Internet mail servers, prior to any virus scanning.
What Can Be a Harmful Attachment?
Each operating system (OS) has its own unique executable requirements, so each organization should review their assets and prioritize the threats that each OS faces. The majority of the desktop systems today are Windows based. As such, many organizations begin to address the harmful attachments that can affect these systems first. The following Windows based executables can contain harmful code and unless there is a true business requirement, should be blocked prior to entering an organization.
Sometimes business requirements dictate that certain individuals must receive these types of executables from outside sources. There are several ways to approach this problem. One method is to request that the sender zip or encrypt the file prior to sending. Another would be to have the sender inform the recipient of the location to retrieve the expected file, similar to the method that software vendors use to inform users about upgrades or patches. This solution forces the recipient manually to take action to retrieve the executable file.
One critical large organization took the above steps over two years ago and has dramatically lowered the virus infection rate from 50-100 captured viruses per day to fewer than three per month. The main factor in lowering the rate was the blocking of unnecessary executable files at its perimeter. This past week over 1,000 Nimda virus executables were attempting to enter each day, but were unsuccessful. While many organizations were struggling with the latest virus, this organization was able to continue to conduct its day-to-day routine without the unnecessary burden of having to shift resources to deal with virus infections. By blocking executables at its perimeter, this organization does not have to worry about future *.EXE viruses that may appear, since all *.EXE files are filtered out prior to entering the organization.
By only blocking known viruses at the perimeter (for example, README.EXE, the Nimda virus) organizations take a reactive mode, i.e. someone must add the name to the blocked list and keep up to date with all the changes on each of the perimeter devices. These updates can be very time consuming and often are not consistent throughout an organization's perimeter. However, if an organization blocks all *.EXE files, its security stance becomes much more proactive as a blocked virus-name list does not need not be maintained. Therefore, they are protected from tomorrow's *.EXE virus entering their network through email.
Make Your Environment Unique
Reacquire control of your perimeter devices and do not trust your brand, intellectual property or customer data to outside personnel. Often organizations believe that they do not have 'anything to hide' or have 'nothing of value' to attackers. Unfortunately, most systems that are being infected today are not necessarily manually targeted by attackers, but rather attacked in bulk with thousands of other hosts.
Perimeter devices are merely speed bumps if they are not properly configured or maintained. Place strict polices on what types of traffic can pass into and out of your environment. For example, filter UDP port 69 (tftp) inbound and outbound at gateways and firewalls, and filter TCP ports 135-149 and 445 inbound and outbound at perimeter firewalls.
The group most often forgotten about is the administrators. These personnel often have elevated rights or permissions throughout the environment and are normally relaxed when it comes to the security of their own accounts. Review your organization's policies concerning administrative accounts. Since most of the harmful viruses expect to be executed as an administrator, require that administrators use two separate accounts. One account should be granted administrative privileges and only be used for performing administrative functions. The second account, with ordinary user privileges, should be used for web browsing, reading email, and other routine daily tasks. Under a properly configured Windows NT or Windows 2000 system, ordinary users cannot make dangerous system-wide changes such as creating, modifying or deleting user accounts, or creating OS backdoors.
In today's networked world, we are no longer alone. Today the enemy is attempting to copy, steal or view protected assets that you would not normally provide to someone physically entering your building. Other potential motives are to disrupt your business and harm your brand. By simply adopting some of these industry best practices, you can reduce your total cost of ownership and regain control of your network.
Jaime Borrego, @stake (www.atstake.com) managing security architect, was formerly the information security officer for the executive office of the president of the United States.