Attack of the worms: Feds get wake-up call

A variant of an Internet computer worm disrupted network operations at several federal agencies last week, prompting calls for a more aggressive effort to apply patches to operating systems' security flaws before viruses can exploit them.

The worm, known as Welchia, underscores how swiftly agencies need to move to apply patches enterprisewide once a vulnerability has been exposed.

Most agencies avoided serious disruption of network services the week of Aug. 11, when the original and slower worm, Blaster, surfaced. That was largely because patches had been loaded on as many systems as possible. However, because agencies were still applying fixes when Welchia struck a week later, some lost their connection to the Internet, seriously affecting operations.

"Basically, it acted as an unintentional denial-of-service attack," said Capt. Chris Christopher, staff director of the Navy Marine Corps Intranet, referring to an attack that is designed to bring a Web-based system down by flooding it with traffic. The variant, which attempts to eradicate the Blaster worm, caused NMCI's first serious shutdown in the highly secure network's short history.

Both worms take advantage of a remote procedure call vulnerability in several versions of Microsoft Corp.'s Windows operating system. The first alert about the vulnerability and patch were issued July 17 (see "Close up: Worms," Page 9).

The Navy was not Welchia's only federal casualty. The Department of Veterans Affairs also found its network could not handle the load. Although the agency managed Blaster fine, "this week, with variant B, what we learned is that the antivirus side of our house is in good order, but the patch management side is horrendous," said Bruce Brody, associate deputy assistant secretary for cyber- and information security.

The incident got the attention of the VA's top executives. "There is a push by the secretary to get a very aggressive patch management approach in place within a year across the enterprise," Brody said. "This week we got hit pretty hard.... All those unpatched systems really caused us problems this week, and we put out the patch order as early as July 16, so there's no excuse for those systems not to be patched."

Many experts cited poor patch management as a primary reason the Welchia worm succeeded, and warned that future attacks of the same caliber will continue to cause problems for government and industry alike.

"The days of manual patching are over," said Michael Brown, director of the Federal Aviation Administration's Office of Information Systems Security.

"We really have to have a set of tools that allows us to touch the entire enterprise at once, because any untouched system is a vulnerability," said Jim Kennedy, the Internal Revenue Service's program manager for enterprise systems management.

Manually applying patches worked in the past because organizations had fewer systems, and the time between when a vulnerability was discovered and when it was exploited was fairly long. However, even the IRS, which used automated tools and procedures to test and apply the Microsoft patch for the latest vulnerability, was unable to finish before the Welchia variant hit.

Security officials recognize the shortcomings but can do little to fix them in the immediate future, said Sallie McDonald, who oversees the Federal Computer Incident Response Center, now part of the Homeland Security Department. Vendors have yet to provide an automated system that can apply patches as quickly as agencies need them, in part because systems within agencies are not standardized and must often be dealt with individually, she said.

It's true that security vendors have not provided such a solution, but "the No. 1 thing people have to understand is that automatic patch updates [are] just software updates," said John Pescatore, vice president for Internet security research at Gartner Inc. And there are plenty of software distribution and management solutions, such as the IBM Corp. Tivoli solution the IRS is using, he added.

What the past few attacks demonstrated most clearly is that systems administrators really need to know their networks and exactly what is on their systems, said Jaime Borrego, director of information assurance in the Office of the Chief Information Officer within the Executive Office of the President.

Without that kind of detailed knowledge, even the most prepared administrators cannot be sure they have dealt with all vulnerabilities, he said, and the bigger the organization, the bigger the problem.

"I think we're really just seeing the beginning of the new and improved things that will be hitting our systems and how quickly they can move," McDonald said. "We've got to look at this two-week period as a wake-up call. There was nothing significant that was damaged this time, but the potential was there."