Feds look for lessons from Internet worm

FedCIRC

The worm that slowed the Internet and corporate networks worldwide last month highlighted the need for federal agencies to pay attention to the most basic security vulnerabilities — even in noncritical systems.

The Slammer worm that hit during the weekend of Jan. 25 is one of a growing number of attacks intended to cause wide-scale disruptions rather than target specific high-profile systems. And like the majority of attacks, it took advantage of a vulnerability that had a fix.

Worms are programs that replicate themselves from system to system without the need for a host file.

The Slammer worm exploited known vulnerabilities in Microsoft Corp.'s SQL Server 2000 database software to generate a high enough volume of work for servers to slow or shut down. Those vulnerabilities were discovered in July 2002, and Microsoft issued a software patch that users could download to fix the flaw.

Although government officials are focusing much of their attention on critical systems — primarily those identified under the Government Information Security Reform Act of 2000 and the Federal Information Security Management Act of 2002 — many other systems do not fall into that category, often including agencies' database servers.

Securing critical systems without addressing the security of noncritical systems will only hurt agencies, said Alan Paller, director of research at the SANS Institute, a security education and research organization. The Slammer worm's impact is "the perfect example of how a machine that is not protected can take out systems that are," he said.

Agencies are making progress, but it is hard to grasp the entire security problem, said Sallie McDonald, assistant commissioner for information assurance and critical infrastructure protection at the General Services Administration.

"It's a huge, big problem, and we're taking little bites at a time," she said. "If you're just doing the critical systems, you're not coming close to being secure, but you've got to start by biting somewhere."

GSA currently runs the Federal Computer Incident Response Center, which focuses on computer security issues affecting civilian agencies. The center is shifting to the new Homeland Security Department.

Sen. John Edwards (D-N.C.) last month introduced the National Cyber Security Leadership Act, which requires agencies to perform comprehensive analyses of their systems, encompassing even the lower-level systems. It also requires that the National Institute of Standards and Technology develop standards to help raise the security level on those systems.

The bill is intended to make sure that agencies do not forget the damage that intrusions into and attacks on lower- level systems can cause, Paller said. The SANS Institute and the Computer Systems Security and Privacy Advisory Board, a NIST advisory group, worked with Edwards to draft the bill.

Because of increasing security awareness and more robust security response policies, many agencies were able to handle the worm, including the Department of Veteran Affairs, which last year launched a security operations center.

However, security patches, such as the one Microsoft made available for the SQL Server vulnerability, are a crucial preventive mechanism for the future, experts say. Up to 98 percent of successful attacks are because of vulnerabilities that are known and have patches.

Last year, FedCIRC awarded a contract for a patch dissemination service. That service will not only allow agency systems administrators to receive and prioritize patches — helping them weed through the hundreds of patches released every month — but will also help chief information officers manage their security policies by tracking when and where every patch is applied, McDonald said.

The Commerce Department is eager to use the GSA patch dissemination system, said Thomas Pyke Jr., the department's chief information officer.

Colleen O'Hara, Judi Hasson and Rutrell Yasin contributed to this report.

***

Trail of the worm

* July 2002: A vulnerability is discovered in Microsoft Corp.'s SQL Server 2000; on July 29, the Federal Computer Incident Response Center issues an advisory.

* October 2002: Microsoft issues a patch for SQL.

* January 2003: A worm exploiting the SQL flaw hits the Internet Jan. 25, slowing or shutting down networks worldwide over a five- to eight-hour period. However, many federal agencies staved off the brunt of the attack.