Security--why don't we get it?

I know this statement seems unbelievable to anyone who spent hours cleaning up after these worms. But the cold truth is that these worms barked more loudly than they bit. If their malicious payloads had been as effective as their propagation techniques, the computing infrastructure upon which we all rely could easily have been devastated.

Devastation didn't happen.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

But a wake-up call sounded for those willing to hear it: Our defenses failed because our legacy security model is reactive. We depend upon vendors who react to a security threat by rushing out patches, antivirus and Intrusion Detection Systems (IDS) definitions, etc., that defend against only that specific threat. It's the digital version of closing the barn door after the horse gets out.

To make things worse, the gap is collapsing between the publication of a new vulnerability and the appearance of an exploit that takes advantage of it. More alarming still, our window to react to such exploits is shrinking. Slammer, for example, infected 90 percent of all vulnerable PCs on the Internet in 10 minutes. We must instead adopt a proactive security model that neutralizes attack vectors before a true crisis occurs.

How could it have been worse?
Unarguably, the damage from these threats was serious: Billions of dollars in repairs and lost revenue. And then there were the worms' "real-world" intrusions. Sobig.F infected and shut down a large railroad network in the eastern United States.

Slammer disabled Bank of America's automatic teller machine networks, caused the cancellation of Continental Airlines flights and took a nuclear power station offline for five hours. But these outcomes were basically incidental--the worms were coded to disrupt any system. They didn't target those organizations in particular.

But what if they had? What if these worms that so easily penetrated the defenses of some of the country's top enterprises--private and public--had used that same level of skill to attack critical infrastructure? Power grid experts say that the recent East Coast blackout wasn't caused by a virus but warn that the systems in question are definitely vulnerable. Can we expect that other utilities--water, gas or municipal services--are vulnerability-free and able to withstand such targeted attacks?

Our defenses failed because our legacy security model is reactive.

Targeted attacks don't just defeat reactive security. They can destroy the actual security mechanisms themselves. Blaster, for example, made a weak attempt at disabling Microsoft's Windows Update service. Luckily, it tipped its hand days in advance, allowing Microsoft to protect its servers.

This highlights another weakness in the reactive model: update mechanisms. No mechanisms, no way to react. If Blaster had attacked Microsoft's upgrade servers immediately, the patches couldn't have been distributed through them, nullifying the software giant's primary method for preventing the worm's spread.

Why are we so vulnerable?
If we take a step back, it's obvious that our fundamental security philosophy--responding to damage--is flawed. Why do we accept that for every worm or virus, we'll spend millions of dollars in containment and cleanup, applying antivirus/IDS pattern updates or operating system patches?

To make matters worse, after-the-fact cleanup is inadequate, even when worms are caught by antivirus software and expunged from networks. Malicious code can weaken network defenses--opening backdoors, stealing files or confiscating passwords--and pave the way for a secondary attack. Who has time to run exhaustive security audits--checking files' integrity, changing passwords, etc.--after network infections?

Even operating system patches sometimes cause more problems than they fix. When vulnerabilities go public, Microsoft is ultraresponsive, rushing patches out the door quickly. But in doing so, they compress the development time for operating system code from months to days, risking quality for expediency.

A recent Microsoft patch accidentally broke hundreds of thousands of users' abilities to establish virtual private network connections. It's not unheard of for Microsoft to release patches of patches. (Or to release multiple patches before the complete vulnerability is addressed.) And as any IT department knows, patches can't be applied without evaluating their effect on other systems. Patches need testing before deploying, and that takes time.

A final ironic note about patches: Credible sources indicate that the very patch that Microsoft released to fix an remote procedure call (RPC) flaw was reverse-engineered by hackers. Allegedly, those results were critical in revealing exactly how Blaster could exploit the RPC vulnerability. If true, Microsoft itself provided road signs.

What can we do?
Don't throw out the defenses already in place; reactive solutions such as antivirus software, IDS and patch management systems do prevent flare-ups, even if they can't prevent initial infections. Do, however, augment these reactive technologies with today's state-of-the-art proactive solutions--both technical and behavioral.

Protect network end points and home computers that have personal firewalls. The best ones provide default protection against inbound and outbound threats. In fact, the official Blaster response from Microsoft recommends using firewalls--even, remarkably, if third-party products.

If we take a step back, it's obvious that our fundamental security philosophy--responding to damage--is flawed.

Choose reliable vendors. Examine their track records. How often are they forced to issue patches? Are they responsive or dismissive to reported vulnerabilities?

Practice smart computing. Don't ignore the human factor. In the enterprise, be sure that company security policies describe acceptable computer practices. Offer user training, timely reminders and reference material such as best-practices intranet pages.

Enforce security policies across the entire network. Policies are effective only if you have iron-clad enforcement. The increase in telecommuting, remote access, and wired and wireless local area networks correspond to increased complexity in enforcement scenarios.

No single product protects against all threats. Today's multifaceted malware necessitates multiple layers of defense. And the most critical component for your first line of defense is proactive security.