Sharon Ruckman, Senior Director of Symantec Security Response talks about taming "blended" threats that stage compromise security in multiple ways.
As the volume of e-mail skyrockets, so do the horrific system dangers posed by so-called blended threats. These hazards, such as Code Red and Nimda, combine hacking, computer worms, denial-of-service attacks, and at times Web site defacements into a single, sophisticated assault. Likely to become the norm, it's crucial for businesses and consumers to implement advanced protection for their systems.
Sharon Ruckman, Senior Director of Symantec Security Response, says you shouldn't wait until systems melt down. Recently she talked to Ziff Davis Channel Zone writer Joel Shore about what to do.
Q. What can administrators do right now to minimize threats?
A. The best actions IT can take are very simple. Turn off or remove unneeded services. Many systems have an FTP server, telnet, and Web server installed by default. Remove them and blended threats will suddenly have fewer avenues of attack--and IT will have less to maintain. Be sure to keep patch levels up to date, especially on systems that host public services and are accessible through the firewall--HTTP, FTP, mail, and DNS. Lagging patches and lack of strict policies are the two biggest problems.
Q. Those are technology actions. What about dealing with a corporation's users?
A. Great point. It's all about education. Enforce a password policy. Frequent changing of passwords makes it more difficult to compromise security. That's simple. More difficult is training employees not to open attachments unless they are expecting them. And never run software downloaded from the Internet until it has been scanned for viruses. Even the simple act of visiting a compromised Web site can cause infection if browser vulnerabilities aren't patched and up to date.
Q. Isn't social engineering making user education more difficult?
A. Sure. Social engineering is the concept of disguising e-mail as a note from a friend or some other innocent-looking content that entices a user to open the message, attachment, or click on a link. We're constantly asking people why they open these messages, and we always get the same answer--they tell us they didn't look suspicious, even though they came from an unknown sender and weren't expected. This was the problem with "SoBig" It didn't have to be, well, so big.
Q. What about threats to wireless technologies?
A. There aren't a lot of them yet, but it's growing. Think about Bluetooth devices. We can put devices on the table and they talk to each other, but someone might send a malicious Trojan horse that could open the device, or a worm that gets propagated when you sync your wireless device back at the office. It's important to implement security for Bluetooth devices.
Q. It seems like threats are spreading faster than ever. It that accurate? Are the spammer and hacker communities becoming one?
A. "Slammer" took around six months to do its damage. But "Blaster" took only 26 days to spread. Some of this is due to technology exchange between spammers and hackers. Spammers aren't becoming virus writers, but their techniques are certainly being shared. Spammers are becoming more sophisticated -- they're using hacker tools to scout for open proxies. And virus writers are using automated spam tools to speed and widen distribution of their threats.
Q. What's the biggest mistake made by IT?
A. People look at their network and think that because they have strong perimeter security, they're in good shape. That's deadly. What usually happens is that over time security inside the perimeter gets porous. People connect with laptops and PDAs. Consultants are on premises and temporary workers are logging in. New employees don't know the security procedures. Inside this perimeter is a key place where the channel should be placing a lot of emphasis.
Q. There has been some activity in Congress to create antispam legislation. The idea is to prohibit e-mail senders from using a phony return address or misleading subject text. That won't really work, will it?
A. Legislation can't prevent people from creating or distributing threats, but it gives law enforcement the tools to go after these people. You need to have the laws on the books in order to prosecute.
Q. What kinds of products should solution providers recommend to their corporate customers?
A. Blended threats require a blended response. There are viruses and worms, Trojan horses, and blended combinations of these. There are those who want to break in, sometimes from the outside, or perhaps internally. An antivirus utility alone isn't going get the job done. Firewalls, intrusion detection, and content filtering all need to be in place, monitored continuously, and kept up to date.
Q. Will it get worse before it gets better?
A. We can stay ahead of it, but it requires vigilance on everyone's part; from Symantec, from IT administrators and engineers, from corporate executives, and especially from individual users. For 2004, we're predicting about four blended threats of the magnitude as Slammer and Blaster. And we expect to see a moderately severe threat every month. Close ports, shut down unnecessary services, and keep operating systems and applications up to date.
Channel News and Analysis 
