Code Red Tests Security Readiness

Last month's scramble to fend off and respond to the latest computer virus showed the Web is risky. But experts stress avoiding the Internet is riskier still.

As cyberlife becomes all the more routine, virus attacks seem to strike with the regularity of seasonal flu epidemics. And like flu epidemics, one never knows when computer bugs are going to be especially virulent.

Prudence demands that companies be prepared for the worst, and Code Red (and its subsequent variants) certainly showed that a little prophylaxis can go a long way in warding off trouble.

Code Red's first strikes were reported mid-July, and it was classified as a "worm" because of its self-replicating capabilities, according to Vince Castanza, intrusion detection engineer at e-commerce security vendor Reston, VA-based Veritect.

"Worms a have the potential to both damage a host and to interfere with networks and services because of the way they spread," Castanza says. "They're not typically set up to deface or control a site, but vulnerable systems can't tell the difference between the worm or a valid user connecting," and as the worm connects and rapidly multiplies it overwhelms systems, denying legitimate users service.

Code Red was specifically designed to attack Microsoft (Redmond, WA) Windows NT 4.0 and 5.0 running Microsoft Internet Information Server (IIS) software, according to Castanza. A few days after the initial appearance of the worm, well over 300,000 systems were infected, he says. "It almost brought the Internet down. Had more systems been running IIS, the Net could have been brought to a screeching halt." Castanza says that roughly 35 percent of systems run IIS, and about 60 percent run Apache Software Foundation's (Lincoln, NE, formerly Apache Group) Apache Server.

Because Code Red mimics legitimate users, most intrusion systems would not have detected the worm, Castanza says. However, sophisticated instrusion detection systems would have protected otherwise vulnerable sites, he adds.

"Code Red sends an inordinate amount of information in the URL—over 40 characters—and most sensitive intrusion detection systems will detect that," according to Castanza.

Firewalls Are Key

Castanza hastens to add that detection and inhibition are two different things. "You need a good firewall set up to actually block this," he says. "People who didn't understand what was taking place shut their systems down, but those who knew what was going on did a quick patch of their system."

Code Red was specifically designed to attack Microsoft Windows NT 4.0 and 5.0 running Microsoft Internet Information Server (IIS) software, and in the wake of the early attacks, the software giant issued patches free of charge to users.

"Organizations that heeded early warnings and took the proper precautions by installing patches and virus updates would not have been infected, other than by e-mail traffic load from other companies that did not take the same precautions," says Josh Lee, global technical strategist for insurance, Microsoft.

Still, many companies must not have been so responsible, since approximately 760,000 systems were eventually infected, with estimated repair and lost productivity costs reaching as high as $2.4 billion, according to an estimate by Carlsbad, CA-based research firm Computer Economics published in August.

"Ironically, the people impacted more seriously by events such as Code Red are those who are more leading edge, who use the Web to do more processing, versus just as some kind of marketing tool," says William Ulrich, president of Tactical Strategy Group, a Soquel, CA-based consulting firm.

Of course, not all such leading-edge firms were affected, Ulrich acknowledges. "Those companies that have gone through the time and effort to secure their environments would not have been hit so hard. But those who put in this type of access to their back-end systems and then started thinking about security got nailed. Of course security is the first thing you need to think about, not the last."

More Security $$ Needed

Ulrich asserts that many companies are not spending enough time or capital on securing Web environments. "The funding to have concerted security expertise is not in place in a lot of companies," he says. "They're giving the responsibility to the Web administrator or someone else as a part-time job."

While large financial services companies usually have the money and inclination to ensure state-of-the-art security measures, Veritect's Castanza says, nevertheless, "you'd be surprised. Without naming names, I can tell you that there are certain banks I wouldn't put my money in."

Insurance Is on Track

Bill Friel, CIO, Prudential Financial (Newark, NJ; $371 billion in assets), contends that, by and large, financial institutions recognize the investment required to safeguard their systems, noting, "CIOs in the larger companies are doing everything that leaders in other industries are doing as a normal part of their organizational structure. Large, sophisticated companies recognize that you need to spend money" on security, according to Friel..

One has to accept that there will always be threats, however, and measures should be taken, Friel advises. "Firms need to be involved with networks of companies focused on identifying these types of attacks. They need to be very aware of the Internet world, both geographic and electronic, they need to use the networking process to obtain files containing the latest worms and they need to establish a network of firewalls," according to Friel.

Friel agrees that it is, ironically, the technologically bold that are more vulnerable, and acknowledges that there was some minor penetration of Prudential's systems by Code Red.

Safety Is No Excuse

But, Friel says, "I would strongly urge companies not to use issues related to security as a reason not to go on the Internet. If you're not on the Web you escape those threats, but you face far bigger ones from not keeping pace with the marketplace."

Anthony O'Donnell has covered technology in the insurance industry since 2000, when he joined the editorial staff of Insurance & Technology. As an editor and reporter for I&T and the InformationWeek Financial Services of TechWeb he has written on all areas of information ... View Full Bio