Battling Blended Threats

Today, more than a year later, Nimda is still spreading to unprotected computer systems across the globe. Nimda and other similar worms, known as 'blended threats,' represent the worst threat to computer security since the inception of computer viruses more than 20 years ago.

Blended threats like Nimda are effective because they combine the most devastating characteristics of viruses, worms, Trojan horses and malicious code to exploit existing computer and Internet vulnerabilities. By utilizing these multiple methods, blended threats can quickly defeat computer systems that employ just one form of Internet security, allowing them to spread rapidly and cause widespread damage.

Perhaps the two best examples of blended threats are the relatively recent Nimda and CodeRed worms. These blended threats required no human interaction to spread, which accounts for their almost unbelievable infection rate. In addition, blended threats are typically very malicious once they infiltrate and infect a computer. Nimda, for example, was set up to insert malicious code into executable files, change account privileges, reconfigure network shares, make registry changes and inject script code into HTML files. CodeRed was no better; the calculated global cost of the CodeRed worm alone now stands at $2.6 billion.

These blended threats were successful because many businesses implemented only one form of computer security, such as a standalone antivirus product. When these new threats encountered that roadblock, they simply avoided it by using a different method to compromise the system.

Therefore, it is important that businesses use a layered approach to computer security by implementing security products at all levels of the network (the desktop, the server, and the Internet gateway). In addition, employees should be regularly trained on how to recognize and avoid today's sophisticated Internet threats.

For example, the following security policies address both security products and employee education. Such a layered approach will greatly reduce the likelihood of a network breach by blended threats.

1. Protect Passwords
Passwords should be somewhat randomly chosen and should not be names or important dates. A good password will be at least six characters long and include both letters and numbers. A policy that requires users to change their passwords regularly also reduces the risk of a system breach.

2. Keep Patches Up-to-Date
Most blended threats are based on known vulnerabilities. Keep operating systems, applications and security products up-to-date with the latest security patches. This will seal off many open doors that blended threats use to spread.

3. Collect Data Forensics
Since blended threats try several methods to infect a system, a careful analysis of abnormal network behavior can provide an early warning of a break-in attempt. Internet security best practices should include policies, procedures and standards for such functions as logging, reporting and auditing network traffic.

4. Use Integrated Security Hardware and Software
Security technology works best when layered across all parts of the network, from the desktop to the servers to the Internet gateway. Avoid using security products from disparate manufacturers since they may not be designed to properly overlap, leaving gaps that blended threats may exploit. Most major security vendors like Symantec Corp. offer complete security solutions that are designed and tested to work together without leaving any gaps in security coverage.

For example, a firewall appliance at the Internet gateway can preemptively block malicious traffic from ever entering the network. Complementary antivirus software on each desktop and server can be used to detect attacks that manage to slip through the firewall, and intrusion detection technology can monitor network traffic for improper activity that escapes detection by both the antivirus software and the firewall. Since each of these products monitors for slightly different Internet threats, when used together they can greatly reduce the risk of a security breach by blended threats.

5. Remove Unneeded Services
Organizations need to determine which services they truly require and remove any that are unnecessary. Eliminating unneeded services can dramatically reduce system vulnerability. For example, there is no reason to run a Windows NT Server with IIS Web Server on an employee's desktop computer; removal of IIS from company desktops will preemptively defeat attacks that are designed to exploit such vulnerabilities.

While the specific security policies and products required to combat blended threats will vary depending on the size and needs of each individual company, every organization should make provisions to implement an integrated security approach that combines layered security products with an educated, aware workforce.