A common feature of Server Load balancer, SoBig, blster, and other worms is to attack system vulnerabilities, resulting in large-scale network interruptions. Even though the patches that blocked them had been released before the outbreak of these viruses, the spread of the virus still could not be effectively restrained, mainly because the patch system was ineffective.
There are two reasons for the difficulty in repairing the system: first, from the disclosure of security vulnerabilities to the use of vulnerabilities to initiate attacks, the time interval is getting shorter and shorter, and users do not have enough time to fix the system; second, a large number of clients become targets and accomplices of virus attacks, making the virus spread more widely and quickly. In addition to Windows, routers, switches, firewalls, Unix, and Linux are also targets of virus attacks. Experts believe that system repair is a long-term project and people need to prepare for long-term battles.
Preparations before Patching
Nicastro, a senior system consultant at International Network Services, believes that system patching is a control process that many users ignore, no persistent monitoring, evaluation, testing, deployment and verification of patches. At the same time, patching is not done by one person, but by the joint efforts of the security team, Operation Team, and developers.
Unordered network expansion is the biggest enemy of network security. Users must grasp the current status of network assets in real time, establish a network asset list, understand the changes of network assets, carefully organize various records, calculate repair costs, and establish priority repair plans. The above process lacks any link, making it difficult to fix the system.
Creating an asset list is to find out what machines are running and what applications are required by users. It usually takes some time to prepare an asset list. The asset list is closely linked with asset management and configuration management, and requires special personnel to be responsible. Patching a system is a physical process. People must use an effective organizational structure to ensure the implementation of this process. Setting up a security event response team is the best solution. The Security Event Response Team can manage system vulnerabilities in an organized manner, quickly respond to each vulnerability, and find the location of the security vulnerability against each device in the asset list, update the asset list once a week.
How to fix
The process of system patching can be summarized into four steps: closely tracking vulnerability changes, repeatedly testing patches, distributing and deploying patches from point to point, and verifying whether the repaired devices are complete and running properly.
System patching starts with monitoring security vulnerabilities and searching for patches for devices in the asset list. Once a security vulnerability is identified as a threat, the security team should immediately start testing the patch. If the user lacks funds to establish an experimental environment, the user should at least try to simulate the environment of key business systems. After testing the patch program, you must complete patch distribution, deployment, exception handling, tracking, reporting, and other work. The repair system is similar to fire suppression. If necessary, the user should isolate the worm or virus from the network segment and then start the repair process.
Mr. Engates, CTO of Rackspace, believes that vrouters and firewalls are very similar to the version of the upgraded software. A network engineer is responsible for tracking the vulnerability information of firewalls and routers. After a patch is determined, the engineer notifies the IT supervisor that if the patch is used to fix a critical defect, the relevant information is directly sent to the vice president of the project, the vice president personally organizes the implementation of the repair system. Patches are tested in the Rackspace lab, which has a scaled-down enterprise network model. The test time depends on the patch size. The patch is deployed in the pre-arranged maintenance window, and the security team evaluates the patch process.
According to Engates, server patching is slightly different from firewall patching. Linux is a unique platform. Rackspace does not have a formal Linux configuration management tool and requires manual operations. Fortunately, the probability of a problem in Linux is smaller than that in Windows. When Engates determines that a security vulnerability exists on the Windows server, it immediately performs a process similar to repairing the firewall. The patch test lasts for at least 48 hours to ensure that no problem occurs. If a problem occurs, Engates suspends the patch deployment and requests Microsoft to provide technical support. Although this service is a paid service, Engates considers it important to maintain close relationships with Microsoft. Patch the client
Determining the scope of the patch is a challenge for many users. In the past four months, the attack has not been limited to servers, but has been directed to clients. Previously, client patching was a periodic and natural upgrade, which is no longer valid.
Worms spread very quickly, and people often have no time to close the client's network port. In the early stages of the blster attack, Microsoft suggested closing port 135 to Prevent Worms from spreading, but Mr. Giambruno, security manager of Pitney Bowes, believes that closing this port is actually a denial of service attack. Currently, Pitney Bowes has begun to extend the process of automatically patching servers to clients. After the explosion of blster, Pitney Bowes deployed BigFix management software, which can fully observe the Wide Area Network of Pitney Bowes across 18 countries. If someone disables the antivirus software on the desktop, BigFix restarts the antivirus software. If the client does not install the antivirus software, BigFix automatically installs it.
"Five essentials" and "four essentials" for system patching"
■ A patch management team must be established to track system vulnerabilities.
■ The process of evaluating, testing, and deploying patches must be established.
■ You must select a set of tool software that supports Patch Management.
■ A process must be developed to verify the patch running effect.
■ In case of an emergency, the hidden danger or worm must be first isolated.
■ Do not start patching without creating an asset list.
■ Do not think that a patch management tool can solve all problems.
■ Do not delay the deployment of patches that are confirmed to be critical.
■ Do not think that the attack only comes from the outside, not from the inside. In fact, attacks initiated by infected internal clients are already widespread.