In my article "Code Red worm raises doubts about administrators," I sounded off about lapses in system administration that allowed a quarter of a million Microsoft IIS server installations to remain unpatched for the widely publicized vulnerability that the Code Red worm and its variants used to penetrate systems. If admins continue to let their guard down, the consequences will be devastating, as viruses such as Code Red become even more destructive and widespread. So here are some recommendations on how to stay up to date on potential problems and make sure that you maintain the best level of protection for your organization.
A little help from Microsoft
On August 16, Microsoft began offering a free tool that can completely automate the process of tracking patches. The HFNetChk network scanner uses an XML file to check for patches you have failed to make in Windows NT 4.0 and Windows 2000 operating systems. It also provides hotfixes for Internet Information Server 4.0, Internet Information Services 5.0, SQL Server 7.0, and SQL Server 2000 (including Microsoft Data Engine, or MSDE), and Internet Explorer 5.01 or later.
I downloaded and installed the program in about five minutes, including the time needed for the software to update the patch list online before scanning. Since the software updates the XML patch file every time you run the program, it keeps you alerted to new patches, although obviously it does nothing for new vulnerabilities that don’t yet have patches.
This program would have warned administrators of the vulnerability that Code Red takes advantage of. Unfortunately, it wouldn’t have alerted admins about the particular importance of the IIS patch before the Code Red outbreak, and of course it does not cover non-Microsoft operating systems.
You need information but be selective
Most security issues don’t get the kind of widespread publicity that Code Red did, so where does a busy administrator get timely information? You already read The Locksmith, but this is a weekly column, and it’s not intended to cover breaking news stories. There are also plenty of Web sites that deliver comprehensive information, such as The National Infrastructure Protection Center, but they don’t necessarily bring you the latest scoop. What you really need is a short list of security-oriented Web sites and a few e-mail services that offer up-to-date information. I emphasize “short list,” because if you subscribe to every security information source available, you’ll be flooded with far too much information to keep up with.
- One of the best places to start is by subscribing to a SANS Institute newsletter. Offerings include a weekly or monthly summary of vulnerabilities, patches, and news events related to computer security, including arrests of hackers. SANS also publishes these resources:
—Security Alert Consensus (weekly) is customized for your platforms.
—SANS Windows Security Digest is a monthly roundup.
—SANS NewsBites (weekly) covers all security-related news for all platforms.
- The Computer Emergency Response Team (CERT) is more concerned with serving government agencies. By the time information is posted there for the public, it’s usually pretty well known, so you should bookmark CERT only for occasional reference. There are actually two CERT items that might be of interest: Computer Emergency Response Team (CERT) - U.S., which publishes the CERT alert mailing list, and the Australian Computer Emergency Response Team.
- Linux users can see summaries of alerts and vulnerabilities at LinuxHelp Online or subscribe directly to newsletters from specific Linux vendors such as Red Hat.
- One place you should check for every Microsoft-related security problem is Microsoft’s central security site, where you can verify that any information you got elsewhere is still current, accurate, and legitimate. You can use the Tools page to search for information, access security checklists, and, most important, to subscribe to security e-mail notification. Microsoft also lists outside security resources, including TruSecure and World Wide Web Consortium (W3C) . By all means, check out these resources. But unless, like me, security is your main job, you won’t have time for all the information available, so you’ll need to narrow your focus.
- Windows administrators should check out NTBugTraq, a Microsoft-specific mailing list managed by a third party.
- SecurityFocus.com, particularly BugTraq’s archives, is a good general resource for all kinds of vulnerabilities. It’s also a good place to find a mailing list that specifically targets the particular systems you manage. The names of these lists are pretty self-explanatory. They include:
- Once you know about a vulnerability, you can learn more and follow its progress by doing a search at www.cnet.com. (Note: CNET Networks is the parent company of TechRepublic.) You’ll find this column referenced there on occasion, but more importantly, you’ll also see breaking news reports that often include interviews with the vendors involved, as well as with top security experts. CNET.com also publishes a number of newsletters, including CatchUpSecurity Alert, which brings you up to date on security patches every Wednesday, Virus Alert, and Enterprise Newsletter: Security Edition.
- Trend Micro's virus alert site is a great place for virus information, including both historical information and current alerts. The site offers top 10 lists, a way to search for threats by name, and current advisories on the home page. You can easily sign up for e-mail alerts by entering your e-mail address on the home page.
- Here’s a big tip to make your research faster once you are aware of a vulnerability: Did you realize that many search engines, such as Google.com, can be bookmarked not just by the home page but also with search terms? The next time you spend a few minutes fine-tuning a search query on a topic you research regularly, don’t forget to bookmark the final search page. This doesn’t cause the same hits to reappear the next time but actually triggers a new search on the same topic. For example, Google search red worm is a general search, but Google search red worm recent sorts the results so you only see recently updated pages.
- Finally, if you want more technology news rather than less, check out the oldest technology wire service, NewsBytes News Network. However, be prepared for a flood of breaking news. Even back when I was the Washington bureau chief for NewsBytes, each office ran about 20 stories each week—and there are a lot of bureaus.
Develop your strategy
I recommend that you subscribe to one or two of the newsletter services listed above, based on the kinds of systems that you manage. You should also regularly visit some of the security and IT news sites so that you can be on top of most vulnerabilities before they hit the evening news. This can be as easy as taking 10 minutes every morning to read security e-mail and browse a couple of the key Web sites.
If you are a consultant or manage a mission-critical network, here’s another suggestion. It doesn’t help to have urgent alerts and messages sitting in your e-mail account. Consider using an e-mail service or unified messaging service that can alert you via instant messaging or pager. I like www.ureach.com, which provides a personal toll-free number for about $5 a month and has enough filters (as well as other bells and whistles) to manage the flood of information I get daily. You can set schedules so ureach.com knows where to reach you at various times, and you can specify whose calls should be forwarded and whose shouldn’t. Ureach.com will notify you by pager of e-mail, faxes, or phone calls based on the originating phone number or address.
Do you have any favorite security sites that weren’t listed here?
What security resources do you rely on? We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.