How To: Protect Against a Zero-Hour Attack

In the last year, a series of viruses and worms that caused damage across the Internet in record time has made very clear how vulnerable our computer systems are. The MS Blaster, Slammer, Sasser, and Korgo.W worms have shown that signature-based antivirus software and traditional firewalls are not enough to protect networks. Everyone is worried about a zero-hour attack — an attack based on a previously unknown vulnerability and completely immune to antivirus software. What can you do to protect your network from such an event? Here are a few ideas:

Use file integrity checking.

File integrity checking tells you if the software you think you have installed on your network is actually what it is supposed to be. There are a number of free utilities to do this — Tripwire is the best known among them. Traditionally, file integrity checking is used is to identify recent changes on a PC. That way, when things go desperately wrong you can try to back out of the latest changes. File integrity checking is also useful for discovering spyware and viruses your antivirus software has missed.

Run new or unknown software in a sandbox.

A new generation of antivirus software extends file integrity checking by making unknown software run in a "sandbox." This form of isolation prevents viruses or worms from propagating unless they can trick a known program into doing the work for them. Using this technique, new or unknown programs are not allowed to do the following things:

  • Talk on the network
  • Run at your full security access
  • Write to another EXE or DLL file
  • Write to another processes' memory
  • Modify critical registry entries
  • Execute other programs

Another way to develop a sandbox is by using Microsoft's Active Directory to keep users from installing anything new. Any new software is then carefully checked by the network administrator before it is installed on the rest of the network. In effect, this makes the network administrator's PC the sandbox.

Scan autoruns.

Each PC's autorun programs should be periodically scanned for threats. This is a favorite place for viruses, worms, and spyware to invade. There is a terrific free utility called Autoruns from SysInternals that will show you everything that is run when you boot up your PC.

Use intrusion prevention at the gateway and on each desktop.

Effective intrusion prevention soft-ware monitors network traffic and matches it to known types of attacks. This approach would have stopped the Sasser and Korgo.W worms in their tracks since they exploited known vulnerabilities. Intrusion prevention rules are continually updated by your vendor. You also should be able to add new intrusion prevention rules yourself.

Use heuristic and signature- based antivirus software.

Most networks are already using this software. A recent addition is the ability for users to easily create their own virus signatures and to distribute them throughout their networks. This frees you from absolute dependence on your antivirus company.

Be aware of Microsoft holes.

It is no secret that Microsoft systems and programs are the most vulnerable to attack. Some software vendors have extended Microsoft's security by adding to Windows the concept of program permissions. Just as users have permissions for directories and files, programs can have permissions to access different parts of the operating system, giving you direct control over what they can and cannot do. Using applications with program permissions can help counter Windows-related vulnerabilities.

Will these suggestions eliminate network attacks? No. But they will go a long way toward minimizing the damage they do to networks and the critical data they hold.

Rob McCarthy is president of network security firm Lightspeed Systems.