In-Depth

CERT: Best Practices for Beating Worms

CERT’s Coordination Center outlines the top steps businesses, vendors, and the government can take to arrest the onerous cycle of constant patching.

• By Mathew Schwartz
• 09/24/2003

In the wake of the latest round—Blaster and warnings of a new, Blaster-like attack—the director of CERT’s Coordination Center, Richard Pethia, in Congressional testimony, outlined best practices for businesses when dealing with the onerous patch process. CERT/CC, part of the Software Engineering Institute at Carnegie Mellon University, is well known for providing vulnerability information to businesses and the government. It was established by the Defense Advanced Research Projects Agency (DARPA) in 1988.

Pethia, however, says real change must come from the source. He called upon vendors to help arrest the cycle of constant patching, and pleaded for government to create incentives for improving everyone’s security practices more quickly.

For businesses, Pethia recommends a three-pronged approach: adopting security practices, maintaining skills, and educating users. “Effective information security risk assessments, management policies, and security practices,” are crucial, he says. Despite there being no one “best”—best practices vary by practitioner and industry—he notes that numerous applicable approaches are available and do work, highlighting in particular the Internet Security Alliance’s "Common Sense Guide For Senior Managers" (http://www.isalliance.org/news/requestform.cfm) as a way to bring senior managers up to speed and get their crucial buy-in.

Next, he calls on companies to better maintain their security practitioners’ knowledge and skills sets. Obviously that requires time away from constant patching. Without training on new tools, practitioners will be unable to arrest the increasingly complex kinds of worms making the rounds, or new ways of attacking corporate networks.

Finally, he notes that companies must adequately educate end users. Too often, IT rolls out technology, then stops there. Instead, system administrators must give users skills they need to proactively improve their security, and notice when something is amiss. “Improve their ability to recognize a problem, instruct them on what to do if they identify a problem, and increase their understanding of what they can do to protect their systems,” Pethia recommends.

Of course, much of that is window dressing on a bigger issue: how to end the need for constant patches. Obviously that’s just not an ideal approach. “It can be months or years before the patches are implemented on 90 to 95 percent of the vulnerable computers. For example, CERT/CC still receives reports of outbreaks of the Melissa virus which exploits vulnerabilities that are more than four years old.”

Pethia told legislators that vendors must be made to do more to prevent their products from succumbing to worms or viruses. “There is nothing intrinsic about computers or software that makes them vulnerable to viruses,” he says—they fail because of bad programming or programmer logic. For example, he says products should ship with maximum security as a default, not an option. Furthermore, he rails against “unconstrained execution,” whereby too often a computer will just execute code it receives without authenticating its origin. That approach is flawed, Pethia warns.

To help vendors get the message, Pethia says the government can build “‘code integrity’ clauses” into contracts to ensure high-quality code. “Lower operating costs that come from use of such products should easily pay for the incentive program.”

In addition, Pethia says legislators need to fund more information security research, and better support the cyber-security centers of excellence already in existence at universities across the country. “The current levels of support … are far short of what is required to produce the technical specialists we need to secure our systems and networks.”

The longer it takes to resolve worms and viruses, the worse it’s going to get. “The Internet now connects over 171 million computers and continues to grow at a rapid pace. At any point in time, there are millions of connected computers that are vulnerable to one form of attack or another.” Worse, every generation of virus or worm gets more stealthy and harder to detect, acts more quickly and with more devastating effect, and also grows more automated, making it easier to spread quickly.