In Depth
A Health-Care Provider Solves a Denial-of-Service Mystery
After daring a security vendor to prove his product worked, one network engineer ends up with a global solution for a denial-of-service attack.
By Scott Berinato
October 01, 2006 — CSO —
First, the firewalls just stopped responding. Then the network jammed up, and within hours, the
network engineer, whom we'll call Cam Smith, had all IT hands on deck, engineers from vendor
companies on the phone and frustrated execs on his back demanding updates. Maybe too regularly,
Smith recalls. "I wanted to tell them, When we have an update we'll give it to you, because a lot of times
when they were asking, there was nothing new to tell them. We were trying to focus on the problem."
p>
The problem would last three days, a virtual eternity for Smith's company, a midsize healthcare
company with a network of hospitals (and one that forbids Smith from using his name or his company
name in the press). Smith first characterizes the situation as "intermittent outages." When pressed,
though, as if being forced to think about something he'd rather forget, he finally confesses, "We were
down about 90 percent of the time. And we had poor quality of service when we were up. It was a
terrible time." (Patient care systems were not affected, Smith says, in part due to backup systems. "But
they very easily could have been," he adds.)
Smith's company is a "tweener," a midsize company, bordering on big, and probably big enough to
consider forming a dedicated information security team. But so far, the company still folds security into
the IT department. Smith is part of an ad hoc security committee made up of network engineers with
enough security experience to handle incidents.
It was on the third day of the crisis that the team discovered the DoS attack, in which a high
volume of legitimate but useless traffic floods a network and crashes it. "We could tell it was coming
from somewhere inside our network, but we couldn't tell from where," he says. So Smith and company
moved through the server room literally pulling plugs, one network zone at a time, to isolate the zone
letting in all the DoS traffic.
This went on for about three hours, Smith says, until finally the team located the source of the
attack: a single remote user on a dial-up connection, working from home on a company laptop, halfway
across the country.
Smith called the employee and told her to disconnect the machine, and the network came back.
Crisis over. Forensics commence. With the laptop shipped back to headquarters, Smith and his team
scrubbed it and found links to a malicious website that used ActiveX to take over the computer and
launch the DoS attack. The employee had downloaded a toolbar she had used at her previous job. What
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
