Agencies
thwart SQL worm
BY Rutrell Yasin
Jan. 27, 2003
Complete
article
Several
federal agencies were able to stave off a fast-moving Internet worm
that wreaked havoc on networks worldwide over the weekend.
Known
as the SQL Slammer, the worm caused high central processing unit
usages on servers, either slowing or shutting down servers by exploiting
known vulnerabilities.
The
vulnerabilities in this case are in Microsoft Corp.'s SQL Server
2000 database software and were discovered in July 2002. Microsoft
issued a patch to plug the security flaws in October.
Although
the worm doesn't carry a malicious payload that wipes out files,
SQL Slammer is a self-propagating worm that exhausts network bandwidth,
causing performance degradation across the Internet.
SQL
Slammer took a few hours to spread across Asia, Europe and North
America on Jan. 25 as spikes in network traffic affected businesses
and government agencies, interrupting the performance of airline
travel systems and blocking access to automated teller machines.
Basically
"the attack was over and done with in a matter of hours,"
said Vincent Weafer, senior director of Symantec Corp.'s security
response center. It took about five to eight hours for the attack
to spread. This illustrates the critical need for agencies and businesses
to have a pre-defined plan to deal with fast-spreading worms, Weafer
added.
Proper
preparation paid off for the Department of Veteran Affairs. "Our
new security operations center (SOC), a 24-by-7-by-365 activity
under the VA Central Incident Response Capability was on top of
it from the beginning," according to Bruce Brody, chief security
officer for the VA.
Brody
said that throughout the course of the incident, the VA was in constant
contact with the Federal Computer Incident Response Center, the
focal point for computer security issues impacting civilian agencies.
FedCIRC
first released an advisory concerning the SQL Slammer worm on July
29, 2002. FedCIRC reissued the advisory as an informational notice
on its Web site (www.fedcirc.gov) Jan. 25, shortly after 8 a.m,
according to a General Services Administration spokesperson.
"The
VA SOC orchestrated a number of activities throughout the weekend,
including several teleconferences with all of the VA regions and
put out the necessary patches and tools," Brody said.
"Our
telecommunications provider assisted by closing the ports that the
worm used to enter and exit the enterprise. While remediation activities
and cleanup continue, we believe we withstood the brunt of incident
with minimal disruption to our enterprise."
A major
Defense Department network deployed throughout North America and
Asia was also able to thwart disruption of network services by having
the right configuration management and control tools in place, said
Carl Wright, vice president of federal operations at Securify Inc.,
a developer of configuration management software.
Although
traffic on the network tripled as the worm utilized bandwidth, no
machines were infected because DOD was able to take a proactive
stance by having the information it needed to ensure that all firewalls
and virtual private networks are properly configured, Wright added.
Using
tools that help automate the process of ensuring that systems are
properly configured in addition to keeping up to date with patches
can help thwart the majority of such attacks, experts said.
"Only
about one to 2 percent of attacks are unknown; 98 percent are due
to problems that we are already aware of," said Marcus Sachs,
director of communication infrastructure protection in the White
House Office of Cyberspace Security, during a SANS Institute Webcast.
The
worm affected a few computers at the National Oceanic and Atmospheric
Administration, said Thomas Pyke Jr., the chief information officer
at the Commerce Department. He has asked the department's operating
units to certify that their systems have the appropriate software
patches installed and to make sure that the firewalls at the edges
of the network are configured to prevent incoming attacks and keep
the worm from going outside.
Commerce
is eager to use the GSA patch dissemination system, Pyke said, adding
that the department also takes advantage of services provided by
FedCIRC.
Colleen
O'Hara and Judi Hasson contributed to this report.
|