Jun 12 2008

Don't Be Exploited

Zero-day attacks are dangerous, but you can defend against them.

Photo: Drake Sorey
Richard Kissel, Senior Information Security Analyst, NIST

Zero-day exploits result from the identification of vulnerabilities in popular programs, followed by the creation of malicious code that takes advantage of those vulnerabilities to compromise systems or make them agents of attack. What separates them from more routine attacks is that they are launched before those vulnerabilities are made known to the public or to software vendors responsible for protecting those programs. Because the vulnerabilities have yet to be discovered by the vendor or antivirus companies, there is no patch or antivirus signature available to identify, neutralize and remove the malicious code.

The reason IT managers should be concerned is that the antivirus products don’t recognize the vulnerability or have a malicious code signature to scan for, so the antivirus or antispyware programs you may have installed to protect your critical business systems won’t protect your company. In other words, your systems can be fully compromised — and you have no way of knowing.

One example took place a few years ago when Microsoft announced a serious vulnerability in its Windows Plug-and-Play service. Microsoft released a patch and within a week “proof of concept” exploit code for the vulnerability appeared, followed by six Zotob worms. While hardly instantaneous, the attack occurred in less time than it might take for many companies to update all their vulnerable systems.

Because Zotob and the related attacks were worms, it is reasonable to expect that antivirus software would protect against it. But by the time antivirus companies acquired samples, wrote a signature to identify them and distributed those signatures to users, the worms had spread.

Keep in mind that while Microsoft Windows Vista is less vulnerable to unauthorized configuration changes than Windows XP because it requires specific administrator-account author­ization for configuration changes, zero-day attacks are not predictable or limited to any specific operating system. All software products and operating systems have unknown vulnerabilities and are susceptible to zero-day exploits.

So what can you do to protect your company from an attack? Here’s a start:

Apply all available patches and updates to your operating systems and application programs. If you installed antimalware programs that use both signatures and heuristics (tools that monitor the system for unusual behavior), you are better prepared to detect and neutralize zero-day attacks.

Tighten up your firewalls. Ensure that your system and network firewalls are filtering traffic in both directions. Inbound traffic is blocked if it comes from known bad sites. Outbound is filtered to prevent malware from sending out sensitive information to its home base.

Protect against buffer overflows. A buffer overflow is a programming error that may result in malicious code being allowed to run on your system. Install and use software to protect your system against buffer overflow attacks, especially if your operating system does not provide this protection.

One important step in any plan to defend against zero-day exploits is to make sure you back up your important information regularly. But making backups doesn’t protect your information when your system is compromised and your sensitive data is stolen.

When your system is compromised, the only way to protect your information is to already have it encrypted. Encryption isn’t foolproof, but it’s better than leaving your sensitive information unprotected. If you are still using Windows XP, you should access the Internet from an account with limited privileges. You should also exercise caution when opening unexpected e-mail attachments. For example, be very careful clicking on URLs in e-mail.

The bottom line for IT managers is to know that all software has vulnerabilities that can be taken advantage of by hackers as soon as they discover them. It is up to you to take responsible action.

Richard Kissel is a senior information security analyst for the National Institute of Standards and Technology in Gaithersburg, Md.