At the Computer Protection Program's monthly brown-bag session in March, Jay Krous of ITSD talked about how Lab computers are electronically scanned for known vulnerabilities. A vulnerability, Krous said, is a specific issue with a computer that allows an attacker to do something that he or she shouldn't be able to do. This could include gaining access to data, using the computer to access other systems, spreading system-debilitating viruses or worms, or taking control of the system.

For example, a little-known vulnerability in some Windows systems allowed the SQL Slammer worm to infect seven Lab computers in January. Krous proposes this could have been prevented with proper identification and patching of the vulnerability used by the worm.

In the past, the Lab conducted quarterly scans for such vulnerabilities. Monthly checks for "hot" vulnerabilities, such as the recent WebDAV and sendmail vulnerabilities, were added to increase scanning frequency, Krous said. Owners of vulnerable systems are notified, and if patches are not applied in timely manner, the systems’ Internet access is blocked to protect them from outside attackers.

However, with the growing number of attacks and attackers, along with greater scrutiny of the Lab by outside agencies, this internal scanning and blocking will be cranked up a few notches, Krous said. The new goal is to conduct daily scans of all Lab computers, and block the vulnerable systems within a period ranging from the same day to a week, depending on the severity of the vulnerability.

"Things need to get fixed quickly," he said.

Krous said outside attacks fall into three categories. At the top are "crackers," described by Krous as "bad, smart people" who identify vulnerabilities and write software to exploit them. The second level is known as "script Kiddies," an unsophisticated group who take advantage of the crackers' software to attack. Finally, there are software worms, which are automated attacks that generally spread quickly.

To try to keep ahead of them, the Lab uses four levels of scanning to look for vulnerabilities. The most general, called port scans, are aimed at identifying specific daemons or services running on a machine. The second level, called banner scanning, can be used to check versions of daemons or services. Servers can then be further scrutinized using response probes, consisting of specially crafted packets; based on how the probed systems respond, vulnerabilities can be identified. Finally, the most intensive form of scrutiny is actual exploitation, in which explit code can actually break into the computer. Special tools make this easy, said Krous, citing software that can test nearly 800 passwords in one second.

By keeping aware of vulnerabilities as they are found and applying the proper patches, computer users can make sure their systems are secure, Krous said. He also noted that the process of keeping systems secure can be complicated and time consuming. “ITSD offers many solutions, from mananging systems to time and material calls, to assist system owners with security.” However, staff members should not look for vulnerabilities on their own by conducting scans of Lab computer systems as this is considered an unfriendly attack, Krous added.

Read more about scans on the Computer Protection Programs Scanning Web page. The Computer Protection Program also offers tips on choosing hard-to-guess passwords. In addition, you can read more about computer security and access guides to secure you system on the Computer Protection Programs Web page.