Fortunately Sasser turned out to not be such a big deal for most companies. After these major incidents, I think it is important to take a look back to assess what worked well, what didn’t work and whether we dodged a bullet through luck or skill.
1. Patches Patches Patches Patches
Companies that stayed up to date on patches were more likely to stay out of trouble with Sasser. The April 2004 patches were more problematic than most patches for the past year. Some companies held off patching due to reports of bad experiences. With nothing else in place, that left them vulnerable.
2. Personal Firewalls cover a multitude of sins
If a personal firewall is in place, it can block access to these worms. This allows the administrator to take more time to test the patches and role it out in a gradual measured fashion. That is always preferable to the Chinese fire-drill that can occur at outbreak time.
3. Know they network. How will you know when you are infected? If your answer is when the routers get knocked offline, the servers yo-yo and the helpdesk line is ringing off the hook, you are in deep trouble.
Host based IDS and Network IDS along with honeypots and centralized logging are all ideas that could provide insight into the corporate network.
4. Plan now for what needs to happen in a virus emergency.
Rod Trent of myitforum.com had a good question recently. Are you the single point of failure in your enterprise patch management or your enterprise security?
It seems like every time I go on vacation or even attend a conference there is a major virus incident of some type. If you are the single point of failure, you need to document what you do in case of virus outbreak, you need to communicate that documentation to others.
I don’t think education is the cure-all of security vulnerabilities. But I’m not willing to abandon it all together. Most people want to do the right thing. If you tell them what that is, and it isn’t too much of a hassle for them, they might actually follow the policy. I think that one thing that helped in this Sasser incident was the amount of press coverage it received. That caused a few users who otherwise might have connected their laptop to the network to instead contact the help desk.
To summarize, a secure network is so much more than keeping the antivirus up to date, and posting a security policy on the company Intranet.