South Korean engineer checks systems after a worm called "SQL Slammer" attacked internet servers in the country in 2003 Chung Sung-Jun/Getty Images
South Korean engineer checks systems after a worm called "SQL Slammer" attacked internet servers in the country in 2003

How Worms Get inside Data Centers and What Can Be Done about Them

WannaCry and Petya demonstrate that worms have come into their own, and keeping systems patched only goes so far from protecting your data center against them.

Worms have been around since the early days of computers. They're a type of malware that propagates without any human intervention -- no need to click on bad links or open infected attachments.

But they've really come into their own this year, with the rapid spread of WannaCry and Petya -- and the associated damage costs.

"Traditional network log or behavioral analysis tools may not detect this kind of infection," said Ambuj Kumar, co-founder and CEO at Fortanix, a Mountain View, California-based security firm. "Keeping systems patched helps to a certain extent, but they are useless if worms exploit zero-day vulnerabilities."

Your DCIM Software Could Be an Open Door

Data centers need to have multiple points of connection to the internet, each a potential access point for malware.

"As modern events show, if any connected appliance or software on the perimeter can be openly found through the internet, it can have vulnerabilities which [can] be exploited maliciously," said Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies.

That includes devices used to manage physical infrastructure, she added.

Positive Technologies has found weaknesses in data center infrastructure management platforms, she said.

"This vulnerability in DCIM systems allowed attackers to remotely access unencrypted information on data center support systems such as fire suppression, backup generators, and others," she said. "This could be used in targeted incursions or wider attacks and could make life very difficult for the companies relying on data centers for business critical functions.”

Restrict Access

Worms can spread much more quickly through a wide-open environment than one where networks are segmented, access is restricted, and the data is locked down.

For example, WannaCry and NotPetya took advantage of old file-sharing protocols like SMBv1.

"If you disable SMBv1, you stand a much better chance of not getting infected," said Simon Gibson, fellow security architect at Gigamon.

 It can be hard to keep up with data center changes, he admitted.

"The rate of change and churn is staggering," he said. "Most companies build networks and by the time they’re deployed, they’ve already changed."

But it's important to understand how their networks work, what's running on them, and how they're all connected, he said.

"Then, when outbreaks hit you’ll understand your risk profile," he said. "Simple -- not easy.​"

In addition, organizations should keep track of who accesses what data, said Ken Spinner, VP of field engineering at Varonis Systems.

This is similar to the way credit card companies monitor purchase behavior for fraud.

"WannaCry changed the world and proved that the illusion of the security perimeter is over," he said. "Ransomware is the canary in the coal mine for organizations to stop and take stock of how exposed their data is to attack."

Limit Applications

One security advantage that data center servers have over desktop machines is that they typically run a very specific set of applications. Anything that falls outside this set can be blocked without hurting user productivity.

Some data centers have an additional advantage if they are running software developed in-house.

Software-as-a-service providers, for example, have access to their own source code and can create custom software agents designed around the specific security needs of that software, said Manish Gupta, co-founder and CEO at ShiftLeft.

"Traditional security solutions are threat-based, because the onus of protecting applications is on the customers buying and deploying third-party applications, such as Microsoft Exchange or Oracle CRM, in their data centers," he said. "Without access to the source code of the software, however, data center managers have no choice but to treat the software as black boxes and protect it from the one thing that they can understand – known threats."

That means new types of attacks can get through.

"To take the traditional security approach of continuing to protect these SaaS applications with threat-based security tools is wasting a precious opportunity to rethink how security should be done," he said.

Assume Compromise

No security is perfect, said Fortanix's Kumar, so security leaders need to start out with the assumption that the attacker has already gotten in.

"They need to keep the data secure even after the system is already infected," he said.

That includes keeping data encrypted while both in transit and at rest.

"A malware or worm may try to dump the valuable information by reading the file or snooping network traffic, but it’s only going to get encrypted data," he said.

In addition, there are now tools to keep data encrypted while it is being used, he added, so that worms can't eavesdrop on memory processes, either.

TAGS: How to…
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish