Operational and Organizational Security: Incident Response • Chapter 11  657

                 than losing the ability to dial in remotely. However, if the threat has a severe
                 enough risk of loss associated with it, the vulnerability should be removed.
                    Failing to fix a known vulnerability can contribute to the likelihood of a threat
                 occurring, so whenever possible, administrators should take steps to minimize the
                 impact or likelihood of the risk. For example, say a bug existed in the Web server
                 software, which would enable a hacker to access sensitive areas of the system or
                 gain entry to the network. If there is no bug fix or service pack installed, the vul-
                 nerability will continue to exist.The longer it is there, the greater the possibility of
                 someone discovering this vulnerability and exploiting it. Once someone does, the
                 information can be shared with other hackers, increasing the frequency of resulting
                 incidents.To reduce the likelihood of the threat occurring in the first place, vulner-
                 abilities should be removed once they are discovered.


                   The Importance of Virus Updates
                   Everyone stresses the importance of applying patches and updating the
               Head of the Class…  organizations don’t do these updates on a daily or even routine basis. In
                   signature files for anti-virus software, but all too often individuals and

                   August of 2005, many corporations and government agencies found out
                   how lax their policy for updates was, when the Zotob Worm infected
                   their systems.
                        Hackers Farid Essebar (also known as Diabl0) and Achraf Bahloul
                   developed the Zotob Worm, which exploited a vulnerability in Windows
                   2000’s plug-and-play service. Although Microsoft released a security
                   patch for this vulnerability on August 9, and the worm wasn’t released
                   until four days later, a large number of organizations failed to apply the
                   patch and were thereby infected. Some of the organizations that were
                   hit by the worm included the New York Times, ABC, CNN, and the
                   Department of Homeland Security (DHS).
                        When the worm infected the DHS, it moved through systems until
                   finally reaching U.S. Immigrations and Customs Enforcement Bureau, and
                   the US-VISIT border screening system. When the US-VISIT workstations
                   became infected, the system essentially became useless. It resulted in
                   border delays and entrants needing to be processed manually. To make
                   matters worse, after the worm infected systems, the DHS failed to focus
                   on the 1300 US-VISIT workstations and focused on patching desktop com-
                   puters instead. It wasn’t until August 19 that the systems were returned
                   to normal, with 28 percent of the computers remaining unpatched.
                        Ironically, these incidents at the DHS are a good example of poor
                   security policies, and the need for being diligent with updates. To be fair
                   though, the incident was obviously an embarrassment to them, as after
                                                                                        Continued

                                                                              www.syngress.com