First of all, why were critical monitoring systems on the same network that was used for Internet access (presumably email, web browsing, etc.)?

Second, a firewall does no good if there are other routes with no protection. All modems, leased lines, etc. should go through an approval process. Ideally the number of Internet and inter-organization connections would be kept to a minimum.

Third, why were they dependant on the external firewall for protection of critical systems? Those systems should have been on a dedicated network with little or no connectivity with the rest of the company. If they wanted to be able to monitor from their PCs, a serial cable or one-way Ethernet connection could be used.

Then you must consider that there are many ways a worm can get around a firewall. If you have employees with laptops, they may become infected at home, and then plug into the company network. Many worms are also able to spread when people view web pages on an infected server. This means the systems should be hardened even if they are "protected".

Critical systems should be:

a) separated from the normal network

b) kept patched

c) not run services they are not using

d) be monitored for suspicious use or traffic patterns

e) should have backup systems which use different software (they did this)

f) should have disaster recovery plans

Really it's just a lack of security-in-depth and awareness of the threat.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/6767/21717#21717