Best Practices Kill Worms

That worm,and future threats,can be fended off by following any one of a legion of well-known best practices for network management, including patch management, firewall assessment, OS service auditing and management, port scanning, and switch and network monitoring.

The most obvious service to offer affected customers is patch management, which will help protect against future incursions.

The Windows vulnerability exploited by the Blaster worm has been known about for months, and a patch that would have prevented the attack was made available in mid-July. The service can be as simple as running the Microsoft Autoupdate Wizard on all clients so patches are applied automatically. If a more staged approach is desired, one machine can be set to automatically update, and the solution provider can then apply the patch manually to other systems after about a week of sound operation.

Microsoft has a security notification subscription service to provide security alert e-mails for a more hands-on approach. Solution providers can also apply a third-party full-bore patch and configuration management system that could be installed to handle larger networks.

id
unit-1659132512259
type
Sponsored post

The mechanics of the exploit reveal other opportunities. The worm takes control of systems by making a remote procedure call (RPC) through one of several ports. Any well-configured firewall would block this part of the attack, so affected networks obviously need port scans to reveal open ports and firewall installation, management or upgrades.

The nature of the attack is such that as the worm spreads through a network, there is an unnatural rise in activity on ports being used for the attack. That causes traffic congestion at the switch level if switches are used to route data by software port number. Solution providers can offer network monitoring services to detect and act against port storming.

Once the worm gains control of a system through an RPC to the distributed COM layer in the operating system, it downloads the actual worm code via TFTP. This highlights another undermanaged area in most networks: disabling system services that are not needed.

TFTP may be needed by some systems, but there are many exploits that use various services that are not commonly needed but are enabled by default. As part of a network lockdown service, solution providers could audit systems and turn off unneeded services on a system-by-system basis.