Timely Security Issues
Service Offerings
Products and Partners
Internet Security Corporation
|
|
|
| Web Worms Advice |
We at Internet Security Corporation try to maintain a non-preferential view of
software whenever possible. However, for security we recommend a late
version of Apache. The alternative, for example if you really, really need ASP,
is to make sure you download and apply IIS and email server patches as
quickly as possible when new vulnerabilities are announced.
But - this won't save you from a zero-day exploit. To be safe from these you
need to choose proven, mature, and secure software.
Our take on this phenomenon of the last year and a half is that these worms
are cover for a small number of more sinister and intrusive threats. That
children can buy CDs with autorooters is mysterious until you consider that
human shields just such as these mischievious punks are the ideal cover
for a truly
capable evil spy. One wonders where the new worms come from until you note
that it makes everybody disregard their IDS alarms. Not unlike setting off
all the neighborhood fire alarms in order to facilitate an arson.
Our best advice is to 1) keep patches up to date, 2) make a sed or awk
filter to remove all web log entries with ".exe" in them, to start with.
Then 3) some of the other characteristics, like ".." and the like in
requested URL's should be filtered out, before processing the logs. IDS
systems should alarm on all the usual criteria, except the specific
web worm signatures. You might desensitize your IDS to common autorooter
attack signatures and characteristics. Remember: Keep those alarms
up, like before, just automate out the noise triggers designed to get
you to loosen your security.
Call Internet Security Corporation at (408) 739-1092 for an hourly
ad-hoc consulting rate.
|
|
