Despite perimeter firewalls and anti-virus measures, worms and viruses are getting into internal networks with alarming success and doing tremendous damage. They spread fast, often swamping LANs within hours. Users are unable to do their work, and they overwhelm help desks with calls. The network and security administrators battling the outbreaks often spend weeks cleaning up systems and fully restoring operations. Once inside the network, worms can persist indefinitely.
So where
are the worms coming from?
Certain perimeter defenses cannot recognize the threat.
Worms and blended attacks often strike through the application
layer of network communications. SoBig, Blaster, and
Slammer are well-publicized examples. Half of the most
critical Internet security vulnerabilities on the SANS
Institute's 2004 top-20 list are application-layer vulnerabilities.
Rudimentary perimeter firewalls, however, can only detect
network-layer attacks.
Hackers
work fast
The new breed of worms and viruses can propagate to
every vulnerable host in a matter of minutes. New application
and operating system vulnerabilities are discovered
weekly, and hackers exploit them faster than administrators
can choose the right patches to apply, test and deploy
to both internal and remote computers. Because of these
factors, it is a well-established fact that there will
always be some PCs and hosts on the network that are
in a vulnerable state. Patching and antivirus updating
is impractical as a proactive security practice.
Even companies who are doing a great job strengthening perimeter defenses against the super worms are open to infection from the inside. Take for instance the Blaster worm which caused billions of dollars in damage due to lost productivity, system downtime, system recovery and continuing remediation after the attack. In many companies Blaster simply walked into the office with employees who plugged infected laptops into the corporate LAN and spread the infection to other devices on the network.
The pathways
for internal infection are proliferating rapidly
The growing number of telecommuting and mobile employees
connecting to the internal network using their own unmanaged
PCs and other devices are blowing holes in traditional
perimeter defenses. In addition, network guests-including
contractors, business partners, and customer-are routinely
given remote access to enterprises' Web-based applications
and portals. While IT and security administrators have
little or no control over the configuration of these
endpoints, they are feeling the pressure to control
endpoint security policy compliance.
Abuse by
Insiders
Organizations desperately need effective solutions for
ensuring the safety of all endpoints connecting to the
LAN. They also need a solution for containing the internal
spread of any worm that manages to sneak in. Additionally,
there is one more aspect to internal security that demands
attention. No internal security solution is complete
that does not address controlling the access of insiders
to applications and databases. Every enterprise has
locks on file cabinets, yet on the LAN most employees
have access to more information sources than they need
for their jobs. At the same time, employees or contractors
with ulterior motives have new hacking tools available
to them that make it easy to penetrate business applications
and the valuable data contained with them. And now attackers
are exploiting application layer protocols, flaws in
application business logic, and poor authentication
controls-further compounding the problem.