A Quarterly Review of News and Ideas on Integrated Network Security

[VOLUME 1]

Real Security is About (Always) Being Prepared

By Bruce Schneier, CTO, Counterpane Internet Security, Inc.

If you'll forgive the possible comparison to hurricanes, Internet epidemics are much like severe weather: they happen randomly, they affect some segments of the population much more than others, and the effectiveness of your defense is determined by your security processes.

Zotob was the first major worm outbreak in a year and a half, since MyDoom in January 2004. It happened fast: less than five days after Microsoft published a critical security bulletin (their thirty-ninth bulletin of the year). Its effects varied greatly from organization to organization: some networks were brought to their knees, while others didn't even notice.

The worm started spreading on Sunday. Honestly, it wasn't much of a big deal. The reason it got so much play in the press was that it happened to hit a number of major news outlets, most notably CNN. If a news organization is personally affected by something, they're much more likely to report extensively on it. We ensured that our customers updated their IDS signatures and helped them recover if they were infected. We continued to provide expert assistance in all aspects of the epidemic.

By Wednesday, there were at least a dozen other worms that exploited the same vulnerability, both Zotob variants and others completely different. Most of them tried to recruit computers for bot networks, and some of the different variants warred against each other -- stealing "owned" computers back and forth. If your network was infected, it was a mess.

Two weeks later, the 18-year-old who wrote the original worm was arrested, along with the 21-year-old who paid him to write it. It seems likely the person who funded the worm's creation was not a hacker, but a criminal looking for a profit.

The nature of worms has changed in the last couple of years. Previously, worms were all written by hackers looking for prestige or just wanting to cause damage. Increasingly, they're written, or commissioned by, by criminals. By taking over computers, worms can send spam, launch denial-of-service extortion attacks, or search for credit card numbers and other personal information.

What could you have done beforehand to protect yourself against Zotob and its kin? "Install the patch" is the obvious answer, but it's not really a satisfactory one. There are simply too many patches. While it's easy for a lone computer user to set up patches to automatically download and install -- at least Microsoft Windows system patches -- large corporate networks can't. Far too often patches cause other things to break.

It would be great to know which patches are actually important and which just sound important. Before the weekend, the patch that would have protected against Zotob was just another patch; by Monday morning, it was the most important thing a sysadmin could do to secure his network.

Microsoft had six new patches available on August 9th: three critical (including the one that Zotob used), one important, and two moderate. Could you have guessed beforehand which one would actually be critical? When the next batch of patches is released, will you know which ones you can put off and for which ones you need to drop everything, test, and install across your network?

Given that it's impossible to know what's coming beforehand, how you respond to an actual worm largely determines the effectiveness of your defense. You may need to respond quickly, and you will certainly need to respond accurately. And given that it's impossible to know beforehand what the necessary response will look like, you need a process for that response. Employees come and go, so the only thing that ensures a continuity of effective security is a process. You need information, accurate and timely, to fuel this process. And finally, you need experts to decipher the information, figure out what to do, and implement a solution.

The Zotob "storm" was both typical and unique. It started very soon after the vulnerability was published, but I don't think that made a difference. Even worms that use six-month-old vulnerabilities find huge swaths of the Internet unpatched. It was a surprise, but they all are. It spawned an assortment of variants, which is now common. And it's an example of an increasingly common criminal hacking trend.

We believe that Counterpane's monitoring and management service is both effective and cost-effective in dealing with this kind of thing. Because when you don't know what's going to happen or when it's going to happen, the level of your preparedness and your ability to respond determine your security.

Zotob Attacks. Silences Media

The latest bad boy in the growing parade of Internet villains proved to be a fast moving mutant with a taste for news. On August 14, just three days after the proof of concept exploit code was published on the Internet, Zotob.A/B was unleashed on an unsuspecting media world. Computers were shutdown at over 100 companies including media giants CNN, The New York Times and The Financial Times. Within four days, over 15 variants of worms and bots had been created and distributed.

Zotob exploits a buffer overflow vulnerability within the Plug-and-Play (PnP) module installed, by default, in most Microsoft Operating Systems. Accessible by networked computers via the MS DCOM framework, the host is compromised due to lack of properly authenticated hosts making DCOM requests. Though the vulnerability exists in Windows XP, 2000 and 2003, only Windows 2000 seemed to be affected by the latest outbreak.

In an uncommon display of urgency and cooperation, Moroccan authorities, working with Microsoft, Turkish authorities and the FBI, arrested 18 year-old Moroccan-born Farid Essebar (aka Diabl0) and 21 year-old Turkish citizen Atilla Ekici (aka Coder). The two men were arrested after Microsoft tracked the worm's electronic trail across the Internet and passed its findings to the FBI. The men were characterized as professional criminals adding additional evidence of the alarming shift from recreational hacking to malicious criminal intent.

Counterpane issued its initial Threat Bulletin on Monday, August 15 and identified its first Zotob incident within hours of first customer notification. On Wednesday, August 17, the CIS Threat Bulletin was updated to add Zotob mutants as well as ICRbot and Botzori. Zotob E was identified by CIS MDS devices on August 18.

Counterpane Adds "Safe Cloud" Enhancement To E-Mail Scanning Services

During the fourth quarter, Counterpane will begin offering its customers "in the cloud" protection and control functionality to scan organizations' incoming and outgoing web traffic for malicious code and web-borne spyware. The new enhancement adds an additional layer of protection by intercepting threatening web content at the Internet level before it gets near the customer's network.

Incorporating anti-virus, anti-spyware and web filtering services, the "Safe Cloud" enhancement will bolster the integrity of the customer's electronic communications infrastructure and improve the timely flow of critical business information by:

• Reducing potentially costly company exposure due to inadvertent employee activity
• Discouraging criminal activity now taking advantage of the serious flaws in web browsing applications
• Creating productivity benefits through the elimination of time-wasting distractions

The new enhancements will assist customers in enforcing web acceptable usage policy and help ensure relevant regulatory and legislative compliance by monitoring and controlling Internet content into and out of the customer's organization with web URL filtering. The solution is highly configurable and allows for various URL category and content-based policies, giving customers greater control while protecting employees and brand reputation and reducing the risk of employee litigation.

Key solution benefits:

• Ease-of-deployment - Can be quickly implemented without the requirement for network software or hardware
• Ease-of-administration - Can be easily administered through a centralized web-based customer portal
• Best-of-breed protection - Uses a multi-tier protection model, incorporating reactive scanners and proactive heuristics
• High performance - Does not introduce latency to Internet access
• Roaming user protection - Organizations can secure web communication for all users accessing the internet, whether inside the LAN or externally
• Low total cost of ownership - Eliminates the overhead of appliances, updates and management, thus reducing overall costs

Counterpane's "Safe Cloud" enhancement is powered by MessageLabs. For more information, contact a Counterpane's Security Specialist, at info@counterpane.com or 888-710-8175.

Carefully selected teams of talented Security Analysts man Counterpane's Global Security Operations Centers (SOC's) in Mountain View, CA and Chantilly, VA 24-hours per day year round. From this vantage point, they monitor over 500 networks for customers whose businesses stretch from the money centers of U.S., Europe and the Orient to outposts in the most remote corners of the globe.

SECURITY WATCH data is a composite of global security events identified by Counterpane Security Analysts during the previous reporting period. It provides a snapshot of the threat conditions encountered during that period by Counterpane customers. All events are considered attacks until reviewed and confirmed or downgraded by the customer.

Attack Conclusions:

• System Error: Hardware / Software / Operating System errors that are not typically associated with security events but may be a symptom of an in-progress attack (Example: System reboot).
• Attempted System Exploit: Attack vectors that are known by Counterpane to cause system compromise (Example: buffer overflow attacks).
• Suspicious Device Error: Hardware / Software / Operating System errors that may or may not indicate first steps in compromise (Example: Disk Drive Full).
• Suspicious User Activity: User errors that may or may not indicate first steps in compromise (Example: Account lockout due to incorrect password attempts)
• Security Policy Violation (Confirmed): Network activity confirmed by the customer that is not authorized.
• Web Attacks: Web-based alerts that might indicate network attacks but the customer has not confirmed. (Examples: CMD.EXE execution attempts, Cross Site Scripting, ISS Buffer Overflow attempts.)
• Worm (Minor): Worm from a single host on the Customer network.
• Scans: Single source scanning attempts of multiple hosts seeking potential vulnerabilities. (Examples: Amanda Scan, Cyberkit Scans)

During any given period, experience suggests that at least one customer will come under abnormally intense pressure from a host of threats. This was the case for a major financial service customer whose network had over 17,000 tickets elevated for review by Counterpane Security Analysts. After comprehensive threat evaluation, only 17 required actual customer involvement, again demonstrating the ability of Counterpane's managed security to provide a first line of network defense while simultaneously reducing customer workload and associated costs.

Professional Services

Counterpane Security Consulting Expands Offerings, Anticipating Customers' Evolving Needs

Anticipating its customers' evolving business needs, Counterpane is expanding its Security Consulting offerings to encompass:

• Audit Compliance Services
• Threat Assurance Services
• Brand Protection Services
• Due Diligence Services

All four practice areas will provide Counterpane with deeper knowledge of customers' infrastructure, employees' activities, policies & procedures, and experiences as well as improve security posture, with fewer vulnerabilities, better fault tolerance, less fragile workflows, better-educated staff, and reduced liability exposure.

For more information, contact Adam Rice, Counterpane Director of Professional Services, at ps@counterpane.com or 703-227-5939.

Alliance Partners

WilTel Enhances Managed Security Services through an Alliance with Counterpane

WilTel Communications has enhanced its portfolio of Managed Security Services (MSS) through an alliance with Counterpane. The new alliance enables WilTel to expand its enterprise security offering of intrusion detection, firewall and vulnerability scanning services to include intrusion prevention and managed e-mail security services. All security services are available either individually or bundled within complete security solutions. Multiple equipment options enable enterprises to purchase, rent or utilize existing hardware, giving them the flexibility to retain control of select portions of their security infrastructure or outsource all of it to WilTel. The increase of security threats, combined with more complex communications requirements, demand constant surveillance of a corporation's distributed network. Combining WilTel's industry leading communications solutions with Counterpane's Managed Security Services helps organizations attain an unprecedented level of availability while providing security with less budget and fewer resources.

For more information, contact Chris Wixom, Counterpane Director of Business Development, at alliance@counterpane.com or 703-728-7359.

Solutions

Simplifying the Management of Log Retention Devices

Counterpane's Managed Log Retention service provides best practice guidance on implementation and operation of the device deployed in enterprises' network. Core features include:

• Aggregation: high speed, unfiltered collection of logs from distributed servers, applications and network devices for consolidation of events into a single SQL database.
• Analysis and Alerting: custom data access capabilities providing analysis of data through specialized views and customizable reporting.
• Management Archives: forwards and stores copies of access and activity as well as configuration changes for long-term storage.

For more information, contact a Counterpane Security Specialist at info@counterpane.com or 888-710-8175.