Security

Tech Tip: Protect your systems from the latest threats

Viruses and other network security threats are a constant threat. Lock down your network by addressing e-mail attachment handling and locking down vulnerable ports.

By Mike Mullins

It's becoming a daily fact of life: Worms and viruses continue to bombard our networks. And according to a report from SANS, it's only going to get worse. While laws are in effect to stop this malicious activity, hackers keep writing, and networks continue to suffer from their code.

Depending on your operating system and the programs you run, there are literally thousands of viruses and worm exploits on the horizon that your systems are vulnerable to. Here are a few of the latest threats:

  • W32.HLLW.Cebe: This worm spreads through the KaZaa and iMesh file-sharing networks.
  • W32.Swen.A@mm: This mass-mailing worm uses its own SMTP engine to spread.
  • W32.Sobig.A@mm: This worm sends itself to all the addresses it finds in the .txt, .eml, .html, .htm, .dbx, and .wab files.
  • W32.Blaster.Worm: This worm exploits a DCOM RPC vulnerability using TCP port 135.

A common thread

Of all viruses and worms, 99 percent are destructive or disruptive to your network, and they share a common thread:

  • They require an attachment through the e-mail service.
  • They operate on well-known ports.
  • They exploit a known vulnerability.

Let's look at some steps you can take to strengthen your systems in these areas.

Attachment security
Every e-mail service worth running on your network has the ability to strip harmful attachments. Some do it through the SMTP relay, and some implement this protection at the host via a security fix.

If you're stripping dangerous attachments, there's really no need for antivirus protection at your mail gateway. You should strip anything that can execute code (.vbs, .exe, .pif, .bat, etc.) before users see it in their mailbox. If you want to stop viruses, stop the attachments that spread them.

Well-known ports
If you block or filter inbound and outbound well-known ports (such as UDP/TCP 135 through 139 and 445) on your network, you can prevent most worms from unleashing their destructive payload. But blocking harmful ports is a task that will never end.

Instead, only allow those ports necessary for your network to operate, and deny everything else by default. Workstations propagate most viruses and should never receive a connection to a low port from the Internet. Servers should never receive a low port connection from the Internet unless they're specifically providing that service (e.g., Web, port 80, SMTP, port 25, etc.).

Known vulnerabilities
According to the SANS report, most vulnerabilities target exploits that are as old as two years. Only a small percentage target exploits less than six months old.

The time between the announcement of a vulnerability and the publishing of an exploit has decreased. It's still a fact, however, that patches reduce exposure to harmful code.The short time period between the announcement of a flaw and the launch of an exploit means that administrators must react more quickly to close security holes, either with workarounds or by applying patches.

Final thoughts

Viruses, worms, and exploits will continue to invade our networks. If you want to prevent them, stop harmful attachments, filter and block harmful ports and programs, and patch your systems. Laws can't always protect your network—but good administration can.

Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.

Editor's Picks