Printer Friendly

Slammer worm exploits risk management lapses. (Risk Reporter).

On January 25, a worm--a virus-like computer program that replicates itself without using a host file--called Slammer (or Sapphire) became the fastest computer attack of its kind in history. Doubling in size every 8.5 seconds, Slammer infected more than 90 percent of its potential host population, some seventy-five thousand machines worldwide, in under ten minutes. Slammer randomly and aggressively scanned the Internet for computers running the widely used Microsoft SQL Server 2000 server software. Exploiting a security hole, the worm entered vulnerable computers, self-replicated endlessly and rebroadcasted itself back to the Internet in search of fresh victims. As a result, Slammer consumed so much computer processing ability that infected servers slowed to a crawl or shut down. Although the incident was under control in a matter of hours, it was the worst cyberassault in the last eighteen months, and its effects lingered for days.

In South Korea, the world's most wired country, Slammer nearly cut off all Web access. The U.S. State, Agriculture, Commerce and Defense departments were hit hard. On a local level, cities' 911 call centers were shut off. Customers of the Bank of America and the Canadian Imperial Bank of Commerce were unable to withdraw money from ATMs. News services such as the Associated Press, the Philadelphia Inquirer and the Atlanta Journal-Constitution suffered varying degrees of disruption. American Express customers were prevented from reaching the company's Web site. Microsoft customers could not access the software giant's Web site to unlock antipiracy features of recent products Windows XP and Office XP. Continental Airlines experienced disruptions at some of its terminals in Texas and Ohio.

By the time Slammer ran its course, the worm had caused more damage than many experts had believed was possible from such an attack. Like its infamous predecessor, Code Red--the worm that infected computers worldwide and launched a denial-of-service attack against the White House last summer--Slammer was a potential taste of things to come, warned Richard Clarke, President Bush's top cybersecurity adviser. When Clarke announced his retirement from the position a few days after the Slammer attack (for reasons unrelated to the worm incident), he warned that Slammer was a very simple and easily written worm, and that future attacks using more advanced programs could cause devastating amounts of damage, especially to systems with known vulnerabilities. This came as unwelcome, if unsurprising, news to corporate-level system administrators tasked with maintaining their company's server capacity and integrity.

Many experts have since blamed Microsoft for Slammer's effects, since the company is infamous for releasing software that can be exploited by malignant codes. But a week before Slammer struck, Microsoft released a patch for SQL Server 2000 that would have protected computers from the worm. Many system administrators, however, never installed the patch. Was Slammer a preventable problem?

"It is not fair to conclude that this is a result of people's failure to patch," says Aaron Latto, e-commerce underwriting director of the St. Paul Companies global technologies unit. He explains that patching servers is potentially difficult and time-consuming work, especially because servers are a dynamic environment, often running multiple patches on multiple programs. Until it is installed, there is no telling what nasty side effects a patch might impart to the machine it is supposed to protect. And even if a patch is successfully installed and runs smoothly, Latto says, it still takes a lot of time and energy from a company's IT department. Most firms simply do not have the IT resources to keep their systems up to date, so patching becomes a minor priority or is discarded altogether.

Making matters worse is the legacy factor, Latto says. It is one thing for Microsoft to introduce a patch for its most current software, but there are many layers of older machines and older codes. For these computers, software manufacturers have no solutions to offer.

Symantec, a provider of anti-virus software, suggests that all users and administrators adhere to a basic set of best practices to protect against viral or worm attacks. In addition to keeping patch levels up to date (especially on computers that host public services and are accessible through a firewall), these include:

* Turning off and removing unneeded services, such as FTP servers, telnets and Web servers, since these are common avenues of attack.

* Enforcing a password policy in order to make machines both more difficult to crack into, and to help prevent or limit damage done to compromised machines.

* Configuring e-mail servers to block or remove e-mail containing attached programs or unfamiliar files, which are often used as viral hosts. Also, training employees not to open e-mail attachments unless they are from a trusted source.

* Isolating infected computers quickly, and performing forensic analysis to restore the machines.
COPYRIGHT 2003 Risk Management Society Publishing, Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2003 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Comment:Slammer worm exploits risk management lapses. (Risk Reporter).
Author:Coffin, Bill
Publication:Risk Management
Geographic Code:1USA
Date:Apr 1, 2003
Previous Article:Hail reporting via e-mail. (Marketplace).
Next Article:Smallpox research causes concern over public health risks. (Risk Reporter).

Related Articles
e-business: 'Slammer' worm boost to hacker insurance market.
System administrators blame each other for spread of Slammer. (Virus Notes).
Sophos warns of Dasher-B worm.
New virus diguised as Saddam Hussein death.

Terms of use | Privacy policy | Copyright © 2019 Farlex, Inc. | Feedback | For webmasters