Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Friday, April 15, 2005

Six Ways To Protect Against Zero-Day Attacks

In the last year, a series of viruses and worms that caused damage across the Internet in record time has made very clear how vulnerable our computer systems are.  The MS Blaster, Slammer, Sasser, and Korgo.W worms have shown that signature-based antivirus software and traditional firewalls are not enough to protect networks.  Everyone is worried about a zero-hour attack—- an attack based on a previously unknown vulnerability and completely immune to antivirus software.  What can you do to protect your network from such an event?

Use file integrity checking

File integrity checking tells you if the software you think you have installed on your network is actually what it is supposed to be.  There are a number of free utilities to do this—- Tripwire is the best known among them.  Traditionally, file integrity checking is used is to identify recent changes on a PC.  That way, when things go desperately wrong you can try to back out of the latest changes.  File integrity checking is also useful for discovering spyware and viruses your antivirus software has missed.

Run new or unknown software in a sandbox

A new generation of antivirus software extends file integrity checking by making unknown software run in a “sandbox.”  This form of isolation prevents viruses or worms from propagating unless they can trick a known program into doing the work for them.  Another way to develop a sandbox is by using Microsoft’s Active Directory to keep users from installing anything new.  Any new software is then carefully checked by the network administrator before it is installed on the rest of the network.  In effect, this makes the network administrator’s PC the sandbox.

Scan autoruns

Each PC’s autorun programs should be periodically scanned for threats.  There is a terrific free utility from SysInternals that will show you everything that is run when you boot up your PC.

Use intrusion prevention at the gateway and on each desktop

Effective intrusion prevention soft-ware monitors network traffic and matches it to known types of attacks.  This approach would have stopped the Sasser and Korgo.W worms in their tracks since they exploited known vulnerabilities.  Intrusion prevention rules are continually updated by your vendor.  You also should be able to add new intrusion prevention rules yourself.

Use heuristic and signature- based antivirus software

A recent addition is the ability for users to easily create their own virus signatures and to distribute them throughout their networks.

Be aware of Microsoft holes

It is no secret that Microsoft systems and programs are the most vulnerable to attack.  Some software vendors have extended Microsoft’s security by adding to Windows the concept of program permissions.  Just as users have permissions for directories and files, programs can have permissions to access different parts of the operating system, giving you direct control over what they can and cannot do.

Posted on 04/15