InfoSec 2003: 'Zero-day' attacks seen as growing threat

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,88109,00.html

Story by Jaikumar Vijayan 
DECEMBER 11, 2003
COMPUTERWORLD

NEW YORK -- "Zero-day" attacks that take advantage of software
vulnerabilities for which there are no available fixes are emerging as
a major threat to corporate security.

More than ever, the threat underscores the need for companies to have
safe configuration policies for software and systems, as well as good
incident-response and patching capabilities, said users at the InfoSec
2003 trade show here last week.

"I'm very concerned about it," said Joseph Inhoff, LAN administrator
at Lutron Electronics Co., a manufacturer of lighting equipment in
Coopersburg, Pa.

Because such attacks take advantage of flaws before software makers
can fix them, the potential for damage from so-called zero-day
exploits is something Lutron's management is especially worried about,
Inhoff said. "I'm trying to figure out what I can do about it," said
Inhoff, who was at the show to see how automated patching software
could help bolster the company's response capabilities to such
attacks.

Although they have been seen as a major security threat for some time,
there haven't yet been any major zero-day attacks.

But users won't have to wait for long, warned Mary Ann Davidson, chief
security officer at Oracle Corp. and a member of a panel discussing
the topic at this week's event.

For one thing, malicious hackers are getting better and faster at
exploiting flaws, Davidson said. Last summer's Blaster worm, one of
the most virulent and widespread ever, hit the Internet barely a month
after Microsoft Corp. released a patch for the software flaw it
exploited. A variant called Nachi, carrying a dangerous payload, hit
users less than a week later. In contrast, January's SQL Slammer worm
took eight months to appear after the vulnerability it targeted was
first disclosed.

"You can see that the timelines are collapsing," said Davidson. That
trend suggests it's only a matter of time before users see attacks
against flaws not yet disclosed or for which no patches are available,
she said.

The number of new vulnerabilities and exploits surfacing on security
newsgroups is another indication that such attacks aren't far off,
said Todd Kunkel, network systems security administrator at Adelphi
University, a Garden City, N.Y-based school with more than 7,500
students.

Kunkel monitors such groups on a daily basis to try to keep abreast of
new flaws and see if work-arounds are possible before any exploit code
becomes available. "I try to find out if there is anything that I need
to worry about and see how I can go about fixing it," he said.

The relatively glacial pace at which some corporations patch their
systems against known vulnerabilities also makes them attractive
targets for both conventional and zero-day attacks, said Gerhard
Eschelbeck, chief technology officer at Qualys Inc. in Redwood Shores,
Calif.

Every quarter, Qualys conducts over 1 million vulnerability scans on
behalf of 1,300 clients and "several thousand" prospects, Eschelbeck
said. One such scan in November showed that over 12,000 systems were
vulnerable to a flaw in a Microsoft Windows Remote Procedure Call
function for which no patches were available.

The consequences can be "potentially devastating" for companies, said
Dennis Brouwer, a senior vice president at SmartPipes Inc., a Dublin,
Ohio-based provider of managed networked services. "Your services will
depend entirely on how quickly you are able to respond to such
attacks," he said.

Having good processes in place for real-time vulnerability scanning
and automated patching are key, Davidson said. It's also crucial for
users to ensure that their software vendors are meeting specific
safe-configuration requirements when products are shipped.

Federal agencies are already headed down that path. The U.S.  
Department of Energy in September signed a contract with Oracle under
which the software vendor is required to meet a checklist of security
settings when shipping software to the agency. Such measures are a
good way to mitigate exposure to zero-day threats that take advantage
of weak default settings, Davidson said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.