Rapid Sasser Attack Raises Cost: Securing Windows
A recent article on Gartner.com discussed media outlets’ and security firms’ reports on worldwide attacks against Windows-based computers by the new Sasser worm. Sasser exploits a vulnerability in Windows that was acknowledged by Microsoft in an announcement on April 13, 2004. Microsoft is offering a patch for the vulnerability at http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx and a Sasser removal tool at http://www.microsoft.com/technet/Security/alerts/sasser.mspx.
The Sasser worm attacks confirm Gartner’s prediction that mass worm attacks against the multiple vulnerabilities disclosed by Microsoft on April 13 were likely. In fact, the appearance of this worm marks the shortest time ever, just 18 days, between the appearance of a vulnerability and the beginning of an attack. Blaster held the previous record, at 25 days.
Many of the vulnerabilities that continue to be identified in Windows 2000, XP and Server 2003 are easily exploitable; attackers will continue to develop worms that will cause damage equal to or more severe than the system shutdowns and network congestion caused by the Slammer worm. Enterprises that are dependent on Windows systems must invest both in means to patch faster and in host-based intrusion prevention software for all Windows PCs and servers. Gartner, a research and advisory firm, made several recommendations:
- Enterprises that have invested in configuration management and software distribution systems should budget additional funds to expand these efforts to include expedited patching of all Windows PCs and servers.
- Enterprises that have not made investments in configuration management and software distribution should allocate funds for patch management systems that can make patching before attacks more feasible, while also ensuring the stability of Windows systems. Simply turning on Windows automatic update feature is not enough.
- All enterprises should recognize that these configuration management and software distribution system or patch management systems must be accompanied by personal firewall, antivirus and behavior-based intrusion prevention software for all Windows PCs and servers.
Gartner believes that even though the market for host-based intrusion prevention software will not be mature until the end of 2005, enterprises must budget for and procure these products now to secure their critical Windows-based systems. The cost and availability of such protection should be included in all total cost of ownership calculations when alternatives to Windows servers and PCs are being evaluated.
For more information, visit http://www.gartner.com.