In the middle of last year it seemed the onslaught would never end. One after another, a progression of worms and other malware threatened to bring down systems as enterprises floundered in a morass of unpatched vulnerabilities and malicious e-mails opened by unwary employees.

The worms did more than just annoy. Organisations ranging from military, commerce and up to CSX Corp, one of the larger transportation companies in the world, found themselves temporarily out of business. At CSX, the Nachi worm took out the sprawling railroad’s signalling systems, stranding train traffic for nearly two days.

For now, things appear to have calmed down. New worm attacks have dropped to a lower level — but that doesn’t mean the threat is gone.

It may seem as though the best way to cope with worms is to accept defeat, but that’s not true. You need to stay on your toes and keep up with new techniques for dealing with these worms as they are developed. The best worm defence means doing what you’ve always done — keep your antivirus software up to date, and patch, patch, patch — and backing it up with cultural changes that emphasise the value of security.

Worms at work

Worms do their damage quickly, and they’re getting faster. During one testing session in October, an unprotected server being used by Computerworld’s sister publicationInfoWorld at the University of Hawaii’s Advanced Network Computing Lab was infected by Nachi in less than 12 minutes. Worse, there was evidence reported by Symantec’s Deep Sight (then being tested in InfoWorld’s labs) that penetration attempts are on the increase. Are these signs of soon-to-be-released worms?

Right now, it’s impossible to say, but the trends being highlighted by Deep Sight are alarming. Even the experts say we haven’t seen anything yet. “It will get worse,” says Dr Wei Lu, CTO of Permeo Technologies. “It’s now a competition [between worm authors].”

“Significant worms are propagating more frequently,” says Carty Castaldi, vice president of engineering at Mazu Networks. “The authors are getting more sophisticated,” and this growing sophistication means that worms are spreading by new methods and are doing damage even more effectively.

Ian Hameroff, a security strategist at Computer Associates International, agrees. “These [recent] types of worms are a real present danger and threat,” he says. “Luckily they haven’t been that destructive in terms of destroying data.” As do other experts, Hameroff worries that worm creators will combine fast propagation with a destructive payload, such as worms that send private or classified data to an outside location, or destroy or modify data. Hameroff notes that “The time between disclosure of a vulnerability by a vendor and the malware that exploits it is getting shorter,” which is further evidence that worm creators are getting faster and better.

Building an attack plan

Unfortunately, there is no easy way to keep the barbarians and their worms at bay. The best defence is to do as you’ve always done — but with increased vigilance. Check for vulnerabilities, then patch. When you’ve done that, patch some more. And while you’re at it, check for new security tools. Then patch some more.

This patching “consumes a lot of people resources”, says Ken Tyminski, chief information security officer at Prudential Financial, who notes that the company has been “very, very aggressive with patching”.

“When one of these vulnerabilities comes out, everything stops and we start patching everything that needs to be patched,” Tyminski said.

“We have consciously made a decision that we will patch as quickly as we possibly can to stay ahead of these things.” The constant patching is both difficult and expensive, but Tyminski says that it’s absolutely necessary given the increasingly destructive nature of worms.

However, Tyminski does more than just patch — a strategy that boosts his worm-fighting abilities and one that other enterprises should take to heart. Tyminski is careful about patching only when it will affect the software he uses. Patching software that you don’t run can cause instability or problems with other, integrated apps, so it’s best to patch only what needs fixing.

He also takes the time to test those patches before deployment. “We do a little bit of triage on them,” Tyminski said, adding that his staff develops a threat profile to determine how quickly it needs to patch any given server.

As another precaution, Prudential is careful about who can access the company network, and what devices and connections they use when they do so. For example, Tyminski uses Sygate’s firewall product to protect individual computers, and he also uses Sygate Technologies’ enterprise product to enforce his security policies.

This means that a user calling into the Prudential enterprise can’t be connected to the company VPN and the Internet at the same time, preventing someone from breaking into a remote machine and using it as a pathway into the enterprise. The Sygate software also enforces antivirus status, patch levels on client machines, and even the client’s current firewall software levels.

A six-step program

All of this no doubt seems like a lot of drudgery, and to some extent it is. But it’s no less important than the process of locking the door at night, or keeping valuable documents in a vault. Good security, especially in the case of worms and viruses, means addressing employee and staff training, physical security, and other cultural changes that allow security technologies to do their best work.

According to CA’s Hameroff, there are six necessary steps, spanning both technical and cultural needs, to keeping your enterprise worm-free.

First, collect vulnerability information. It can come from a number of places, ranging from manufacturers’ published vulnerabilities to chatter on hacker Web sites. You can also have this information collected for you via vulnerability assessment software.

Second, validate the accuracy of your information. There’s a lot of bad information out there, especially when it comes to worms and other security breaches, and until you know it’s correct, you probably shouldn’t act on it. Of course, you don’t want to delay acting on information too long, or you may be more at risk — checking with a respected source, such as the product manufacturer, should help pin down the exact vulnerability.

Third, form a plan to remediate the vulnerability. This may mean applying the appropriate patches, changing hardware or application configurations, or making policy changes, Hameroff explains.

Fourth, inventory your environment — you have to know what you have before you can patch it. This may also help you figure out where potential future vulnerabilities lie, so you can proactively address them in future maintenance. “Stage five is to do an analysis of correlations between your assets and vulnerability knowledge,” Hameroff says, adding that software tools may be able to help here.

Finally, fix the problem then check that you’ve done it correctly.

Watching the horizon

As important as it is to make sure your software is patched, it’s also clear that patches aren’t a perfect solution when worms are the problem. Currently, the time between the discovery of a new vulnerability and the exploit that takes advantage of it may be only two or three days. That’s simply not enough time for a large company — even one that moves aggressively — to apply the patches it needs.

Because they simply examine packets as they enter the enterprise, firewalls have their limitations. Firewalls may limit damage, but they won’t stop every-thing, including most types of worms. Companies thinking that they’re safe with only a firewall in place are deluding themselves.

“You cannot build intelligence that way,” says Permeo’s Lu, who suggests the real secret to detecting worms rests with examining the behaviour of applications. “Usually only a few [apps] are running,” so it’s relatively easy to keep tabs on their performance, Lu explains, suggesting that any unexpected behaviour from an application can be a sign of a worm at work.

Castaldi says that future worm warfare will involve building statistical models of the behaviour of applications. “When there’s anomalous [application] behaviour, it can be used to tell if a worm is propagating and what vector it’s using,” he said. Just watching an application can tell you a lot about what’s going on in your network, and you can keep an eye on traffic with monitoring tools such as those from Zone Labs and similar vendors.

There’s every reason to believe that the worms of 2004 will be more numerous and more destructive than anything we’ve seen. Many security experts believe that the worms of August 2003 were only a test run — a first attempt to see what could be done with this means of attack.

The next step is to create worms for identity theft, for looting corporate secrets, for stealing financial information or other private material. Imagine the havoc that could be caused by one expert’s example of a worm that searches for a database field labelled “SSN”, then randomly changes a single number in each field.

Because of their varied nature and constant evolution, and despite all of the forces arrayed to fight worms, it’s unlikely they will ever be eliminated. Ultimately, enterprises will be limited to managing the threat by triage rather than making worms disappear completely. But with the right tools — and the right practices — it’s possible to keep the threat under control. And getting worms under control is better than the unrestricted spread of damage we’ve already witnessed.