THE CASE FOR PROACTIVE NETWORK SECURITY: WORMS, VIRUSES

1
THE CASE FOR PROACTIVE NETWORK SECURITYWORMS,
VIRUSES BUSINESS CONTINUITYPresented to
Dr. Yan ChenMITP 458- Information Security
AssuranceBusiness Case Study Presentation09
June 2007by The Loop GroupFarney, Heilprin,
Leonard
2
2001 THE END OF REACTIVE NETWORK SECURITY

• The Year of the Worm (3) major worms released
  July-September 2001
• Code Red
• 2.6bn estimated damage
• Simple buffer overflow infected 350,000 hosts in
  single day
• Code Red II
• Same attack vector (.ida), but different
  signature
• Nimda
• Mass-mailing, multivariate attack
• All based on previously released and patched
  vulnerabilities
• MS01-033, MS00-052, MS00-078, MS01-020
• A/V software useless
• Used firewall ports not needed (externally) in
  the first place
• 135, 137, 138, 139, 445, 593, 1639, 2000-3000,
  3127-3198

100 Preventability!
3
HEROIC IT NOT ENOUGH, PEOPLE AND PROCESS
REQUIRED

• Speed of attack dispersion and increased
  geographic expansion make it impossible to react
  to todays threats
• Design and deploy network security operations
  infrastructure in which automatic patch
  management plays central role
• Vulnerabilities addressed on release day (making
  test assumption)
• Proactively tighten defenses
• deny all vs. allow all on interior firewall
  interfaces
• Perform network analysis to determine required
  business functions and corresponding ports, deny
  all else

2001 attacks responsible for major shift in
corporate defenses

• Heroic IT Management Is No Longer Enough, Diamond
  Cluster Viewpoint, 2004

4
NEXT PARADIGM SHIFT STRING SCANNING -gt
HEURISTICS

• Zero Day attacks becoming more common
• Virus definitions and patches not available
• Ex post mechanism is folly- by focusing on
  catching attack of the past, you miss the attack
  of the future1
• A new proactivity required behavior based
  security
• Create behaviors for which to look for, not
  specific strings
• Heuristics is the only way to protect against
  Zero Day attacks
• Looks for anomalous activity like
• Use off the shelf software, security services, or
  product like Internet Motion Sensor
• Most A/V software today uses heuristics at some
  level
• Most effective are agent-based products dedicated
  to this type of analysis

• The Efficacy of Network-Level SPAM Mitigation ,
  Sean Farney, MITP 458, 2007

5
PERSONAL LESSONS LEARNED

• Globally dispersed operations offers challenges
• Follow-the-sun staffing great for finite
  day-to-day tasks, but can impede focus on large
  events
• Lack of 24x7 line responsibility allows
  transition gaps and requires re-activation energy
• Consider centralization and/or sourcing to true
  24x7 model/provider for consistent and efficient
  handling of operations
• Patching systems, either internally or
  externally, produce same effect
• Remove human element from revision compliance
• Commonplace now, but still new in 2001
• Fight battles before they start, be as proactive
  as possible
• The Freedom1 of Deny All

• See Nietzsches Twilight of the Idols