Multiple Defenses Needed to Fight Off Zero-Day Attacks, Say Experts
Jaikumar Vijayan
April 09, 2007 (Computerworld) The Windows animated cursor flaw that Microsoft patched last week caused widespread concern because attempted exploits of it were unleashed before the patch became available. But there are a variety of steps that companies can take to try to mitigate the risks posed by the ANI vulnerability and other so-called zero-day security threats.
The available measures aren’t a sure bet, IT managers and security analysts cautioned. They added that in the end, patching a flaw is still the most reliable way of protecting systems against attackers who are seeking to take advantage of it. But deploying multiple layers of defenses is a vital element of strategies for dealing with threats for which no immediate fix is available.
For instance, Lloyd Hession, chief security officer at New York-based BT Radianz, said his company is using software from ConSentry Networks Inc. that can quickly detect compromised systems by any anomalous behavior they exhibit, instead of trying to spot infections solely by looking for virus signatures on machines.
“You need to smarten the intelligence within the local network,” said Hession, who added that the ConSentry tool lets IT staffers at BT Radianz control the connections PCs can make with other systems. He said that can help lower the risk that an infected computer will spread malware across a LAN at the company, which provides telecommunications services to financial firms.
“Under the previous model, you could go anywhere in the network once you were within the network,” Hession said. Now there are automated rules specifying the portions of a network that systems are allowed to access. The rules also limit the other machines that PCs can connect to based on the business needs of end users, he said.
Another way to minimize zero-day threats is to adopt strict policies for filtering out e-mail attachments, which attackers often use to try to deliver malware to unsuspecting end users.
Analysts have long advised companies to filter out GIFs, JPEGs, WMVs and other unneeded attachment types from inbound and outbound e-mails. And when deciding which attachments to allow and which to block, it’s a mistake to assume that only certain types are being used maliciously, said Russ Cooper, senior information security analyst at Cybertrust Inc., a security services firm in Herndon, Va.
Cooper noted that both GIFs and JPEGs were considered benign until attackers started hiding malicious code in them. “Don’t go on the basis of whether something is benign or not,” he said. “Look at what you need for your business.”
Malicious hackers also like to use HTML e-mail because it lets them more easily hide and deliver attack code to systems. For instance, several of Microsoft’s e-mail clients, including Outlook Express and Windows Mail for Vista, are vulnerable to attacks that insert a malicious ANI file in an HTML message. Disabling HTML e-mail on systems can help mitigate that risk and blunt many of the phishing attacks that attempt to get users to click on links to malicious Web sites, Cooper said.
Additional Protections
Security analysts also suggested the following measures for blocking exploits of unpatched vulnerabilities:
• Turn off JavaScript to prevent some Web-embedded exploits from reaching end users via their browsers.
• Restrict administrative privileges to stop remote hackers from gaining full administrative control of systems.
• Use updated virus signatures to identify possible attacks from remote sites and initiate responses.
It’s also important to keep an eye on the traffic that’s leaving your network. Many Trojan horses and bot programs communicate with remote systems to get instructions on what to do next or what information they should upload. Using outbound proxies or firewalls to look for and block such communications could prevent malware programs from calling home, said Johannes Ullrich, chief technology officer at the SANS Institute’s Internet Storm Center in Bethesda, Md.
Companies should also consider implementing a “default deny” capability at the perimeter of their networks, Cooper said. The idea behind that approach is to allow only specific traffic in and out of a network gateway while blocking everything else by default.
Cooper said that to determine what traffic should be permitted to enter and leave a network, IT managers can log all inbound and outbound router activity for a period of time to get a picture of what is routinely being transmitted. “If you’re worried about breaking functionality, allow everything that has been going through anyway, and deny everything else,” he said. “It’s a great starting point.”
Increasingly, though, Trojan horses and bot programs are using trusted network ports such as Port 80 and Port 443, which are used by HTTP and HTTPS traffic, respectively, to communicate with the remote systems controlling them. That makes it harder to detect the illicit traffic using outbound filtering, Hession said.
