IT professionals and end users alike are challenged by increasingly complex and powerful threats. We at Symantec are calling them "blended threats" because they are vastly different from traditional viruses and worms. The Nimda worm is an example of a blended threat, and its rapid spread shows how the strategy of "one threat, one cure" has become outdated. Nimda was a worm. What made it different from other Internet worms was its use of multiple vectors of infection and the efficiency in which it was able to propagate. Nimda was notable for its propagation methods and the speed with which it is able to infect victims. Nimda was discovered on September 18, 2001

In order to understand the impact of a blended threat, it is helpful to understand it's unique
characteristics.  A blended threat is a security threat that uses multiple methods to attack or propagate.

CHARACTERISTICS:
1. Causes harm
2. Uses multiple attack methods
3. Automated (requires no user actions to trigger)
4. Exploits vulnerabilities.
5. May have multiple propagation methods

A blended threat will cause more than one injury to the system. For example, Nimda, injected
malicious code into each .exe file on the system; escalated the privilege level of the guest account; created world read and writable network shares; made numerous registry changes; injected script code into html files, etc. Cleanup was particularly difficult because of all the points of damage.

Automated
Typically viruses require some human intervention in order to spread, such as sending an infected file to another user, or simply opening an email attachment to trigger the propagation. Blended threats are automated like a worm, continuing to spread without human intervention. This can take many forms, including scanning the Internet for vulnerable servers to infect and using their own SMTP server to send out infected emails.

Exploits vulnerabilities
One of the most dangerous characteristics of a blended threat is that it exploits vulnerabilities. This often results in unauthorized administrative access to servers, opening up the information stored on the server at the root level. Typically, blended threats exploit known vulnerabilities such as buffer overflows, http input validation vulnerabilities, known default passwords, etc., which can be easily mitigated with existing operating system and application security patches. Unfortunately, many systems are not up-to-date with the latest patches.

May have multiple propagation methods
Multiple methods of propagation can make containment of the threat a challenge. A blended threat can automatically use one of many vulnerabilities it understands to compromise a system. Even if one security patch eliminates one vulnerability, another unpatched vulnerability or misconfiguration of the system may allow compromise.

By combining these characteristics, blended threats have the potential to be more prolific and deliver more damage than the typical virus or worm. Alone, a single security technology is not sufficient to defend against these blended threats, as was demonstrated by Nimda and CodeRed. Even with firewall and anti-virus technologies implemented, at some level, in most enterprises today, these blended threats were still able to damage systems worldwide, costing billions of dollars. Blended threats require an integrated solution. Only by deploying security-in-depth at the client, server and gateway levels can an enterprise successfully defend against these complex attacks.

Security experts agree that implementing best practices in a consistent, on-going, manner is the best defense against infection and the best way to minimize harm. Best practices focus on reducing your exposure to the most commonly exploited vulnerabilities and increasing the level of effort and expense required to attack, so that it becomes unattractive. The 80-20 rule of vulnerability management recognizes that 80 percent of successful attacks utilize just 20 percent of a system's vulnerabilities - so an IT organization can best expend its resources focusing on the 20 percent.

There are three specific areas of security on which to focus: removing unneeded services, keeping patches up to date, and enforcing strong passwords.

Remove Unneeded Services
Organizations need to determine which services they truly require and remove any that are unnecessary. For services that are needed, software patches should be installed as soon as possible after discovery of a vulnerability. Recognizing that services are an exposure because they are listening on a TCP port is important, and elimination of unneeded services can dramatically reduce system vulnerability from known exploits and future, undiscovered vulnerabilities and exploits. For example, there is no reason to run a Windows NT Server with
IIS Web Server on a company's desktops; removal of IIS from those desktops will preemptively defeat attacks on that particular target, such as Code Red.

Implement Strong Passwords
The use of strong passwords enforced through consistent and frequent vulnerability assessment can help mitigate the most common exploit, which is brute force password attacks. Strong passwords should be at least eight characters in length, should include alphabetical, numeric and special characters and should be changed regularly. Strong passwords should not include any repeating characters and should not include a common word or name.

Keep Patches Up to Date
Blended threats exploit known vulnerabilities. Keeping your operating systems and applications up to date with the latest security patches will prevent blended threats from compromising your system.

Solutions for Security-In-Depth
Having implemented best practices, the next step is to implement security-in-depth. Security-in-
depth aims at creating a defensive barrier that is extremely difficult and costly to circumvent, through the combination of anti-virus, content filtering, firewall, vulnerability management, and intrusion detection. The combination makes it almost impossible to engineer a worm that can bypass a security-in-depth system. Even if a worm is written to successfully bypass a firewall or intrusion detection system, the presence of a security patch identified by vulnerability management will prevent compromise. Likewise, even if a system is not being patched with the latest patches identified by vulnerability management, an application proxy firewall will in most cases block the malicious attack, or anti-virus might quarantine the malware before it is executed. The combination of security technologies in a security-in-depth posture means that even if the worm has been written to successfully defeat one security technology, the other technologies will either block, prevent, detect, or repair the exploit.

Source:  Symantec Corporation

*****

Announcement: Attend the Powertips 2006 "Security Secrets and Strategies" conference on March 16, 2006 at the Grand Ballroom of Dusit Hotel Nikko. Tickets are available at all SM TicketNet outlets or call 911-5555. You can also register online at www.infochat.com.ph

For your comments, questions and suggestions, send your email to techtvhost@yahoo.com