Using Layered Defenses to Stop Internet Worms

An anonymous submitter writes "Following last week's release of security configuration guidance for Mac OS X, the National Security Agency has released a paper on Internet worms and how to stop new worms using layered defenses (pdf). A good read - your US tax dollars at work."

Re:Using ggv...Digest Version

[Zemplar]

1 Motivation Internet worms are perceived to be one of the primary threats to the nation's information technology infrastructure. They are a significant cause for concern from both financial and network security perspectives. According to the Worm Information Center FAQ [1], the Sobig and Blaster worms, which occurred at the same time, are estimated to have cost companies more than two billion dollars. For this paper, we studied current worm strategies and implementations and tried to determine whether the trends point to a significant worsening of the problem in the near future. Are worm technologies improving? Are worm attacks becoming more sophisticated? We were also interested in defensive technologies that can be used to combat the worm problem. Where are defensive technologies best applied? Should other technologies be developed to help defend against the worm problem? Ultimately, we would like to know whether a sophisticated attack can be prevented - could current defensive mechanisms be used to defend against future sophisticated attacks? 2 Paper Organization Answering our questions required an understanding of current worm technology and how it is evolving. We choose to focus on the technology used by worms rather than the social engineering methods used to deploy them, for which there is no technical solution. In the Worm Technology section (sec. 4) of this paper, we devise a novel method for describing Internet worms based on characteristics they exhibit, which we call life functions. By decomposing these life functions, we derived the fundamental conditions needed for worm success, which we call its attack attributes. In the Attack Attributes section (sec. 5), we describe a system by which to classify worms. The Defensive Mechanisms and Techniques section (sec. 6) surveys the existing technologies that combat worms and other malicious code. The worm attack attributes are matched against the defenses in the Attacks vs. Defenses section (sec. 7) in a defense matrix. From this matrix, we draw conclusions about how best to detect and prevent worm attacks. We present a summary of our results in the Findings section (sec. 3) below. Finally, in the Applying Defensive Methodology section (sec. 8), we discuss how five aggressive worms would have been easily defeated using the defense- in-depth strategy that we advocate in this paper. 3.1 Defense-in-Depth Many defensive technologies have been developed to combat the spread of Internet worms. Unfortunately, there is no single technology that protects against all types of mobile malicious code. Many enterprises rely on only a small set of protective technologies to protect their assets, such as firewalls and virus scanners. Our research suggests that a layered defensive solution would be more effective at preventing all known worm infection vectors and, potentially, many unknown ones as well. We reached this conclusion based on our study of a wide variety of Internet worms and defensive mechanisms. As part of our research, we have produced a system for describing worms and measuring whether defenses can stop them. We believe that this method captures the critical characteristics that define current worms and the characteristics that will be displayed by worms in the future. Our system demonstrates that no single defense works against all worms and that multiple layered defenses provide robust protection. Defense- in-depth security helps defend against not only worms but other network threats like Trojan horses, malicious insiders, and hackers who have guessed passwords or entered systems via flaws in network code. It bolsters security with solutions that are effective even without forward knowledge of any attack. Such security solutions scale even to zero-day attacks, which are attacks that make use of previously unknown vulnerabilities. Reactive defenses, like signature-based virus scanners and automated patching systems are still necessary, but they are ineffective against fast moving worms or zero-day attacks. Worms have increasingly become "blended threats"[12]; they

A simpler way:

[Orgazmus]

1) Run linux

(and yeah, no lame joke about profit)