Protecting against network traveling worms

Network traveling worms have been a cyber security issue since 1988 when the infamous Morris worm first struck the web and caused great disruption and got significant mainstream media attention.

Since then, the web has evolved immensely – but the network worms evolved along with it. Some worms have evolved into email attachment worms, spreading via spam mail. These massive outbreaks have been mitigated in the past years by spam controllers.

Today's network-travelling variety of worms, such as Conficker and Zeus, are able to hide better than their email relatives and thus are much harder to detect.

But what is a network worm actually? A worm is a computer program that has the ability to copy itself from one machine to another in various ways. These worms often carry out payloads to cause damage and can badly harm computer networks once they gain access.

Some of the most devastating and notorious worms include the 2010 Stuxnet worm, which hit the Uranium enrichment facility in Iran and caused great damage to the enrichment program, or the Shamoon worm, which was introduced into the Saudi Aramco network by an employee using a privileged credential. Shamoon ended up erasing 30,000 computers in the internal network.

Both these examples stress how harmful network worms can be once unleashed in a network and highlight how these can be weaponized. What would happen if a network worm as powerful as Stuxnet was unleashed on a nation’s electric grid?

Now the question remains: how do these worms spread so vastly in a network and what enables them to gain access to basically any machine? This is the one common denominator of all network-travelling worms, they all have the same basic methods of dispersion; they use exploits of security holes in software, they spread via network shares and file transfers. Mainly, they use weak passwords and user credentials to gain access to other network locations and spread forth.

The most dominant example given is the previously mentioned Conficker worm, which had a "password dictionary" consisting of thousands of commonly used passwords. The worm would propagate by trying every password and login in an effort to access and spread across a network. According to Microsoft, 92 percent of Conficker infections are due to weak or stolen passwords. Just think, if a well-known threat such as Conficker can get in to a network using weak or stolen passwords, an advanced persistent threat group can do the same using these vectors.

In order to protect an organization from such an attack, establish a password management policy that involves sophisticated and random passwords. Once a password is unpredictable and uncommon, a worm such as Conficker would not be able to access your assets and an advanced persistent threat attack could be mitigated.

Your policy should leverage technology, such as CyberArk’s Privileged Account Security Solution to establish frequent, automated password changes, as well as monitoring and threat detection, as part of an overall password and privileged account security strategy.

Friday, January 3, 2014