Denial of service and the worm

When Worm.ExploreZip hit corporate networks a few weeks ago, I was sitting in the lobby of a large corporation waiting to interview the security director of the firm’s electronic commerce subsidiary. When he finally arrived, he told me that the corporate bigwigs had shut down all Internet mail access and, as a result, the e-commerce subsidiary would lose “hundreds of thousands or millions of dollars.”

The firm’s corporate IS group and other units were vulnerable to the worm, so upper management cut off all incoming e-mail at the firewall to buy time for inoculating various Microsoft Exchange servers and gateways. But because e-mail is the e-commerce subsidiary’s lifeblood, its security group had already deployed measures to deal with the worm. Hence the security director’s frustration with the decision to shut down e-mail corporate-wide.

This episode illustrates that worms and viruses are not only disruptive and destructive, they’re also denial-of-service attacks. Like a bomb scare, a virus threat can cause disruption and economic damage even if no physical damage occurs. But while a physical bomb affects only one location, viruses are everywhere.

We’ve also seen that corporate capabilities to combat viruses are a mixed bag. This kind of problem will get worse if random acts of vandalism, such as the Worm.ExploreZip and Melissa viruses evolve into more sophisticated information warfare, including information terrorism between competing nations, corporations and other groups. Worm.ExploreZip, which targets Microsoft, already looks like information warfare.

The attacks seem to be occurring more frequently, and the denial-of-service implications are increasingly obvious. The days when enterprises could just shut down Internet mail are coming to an end. E-mail is too mission-critical to be cut off everywhere.

Containing viruses requires a layered defence. Install countermeasures in firewalls, gateways, servers and desktops. Deploy intrusion-detection technology that brings your network to a heightened state of alert and increases scanning at the first sign of trouble. Also, increase end-user education efforts and lean on the ISPs — they should bear some responsibility for letting viruses propagate through their networks to yours.

Dealing with the denial of service requires clearly communicated policies. Where business units sharing a messaging network have different defensive capabilities or risk tolerances, and where the criticality of e-mail varies across units, IS departments must find ways to selectively quarantine incoming mail or other forms of connectivity. At a minimum, get the business units to agree to general contingency protocols in advance, or allocate funding to build the flexibility they say they must have.

Don’t let denial of service threaten the basic consensus on which your shared messaging network depends.