Vulnerabilities

Vulnerabilities

• flaws in systems that allow them to be exploited

• provide means for attackers to compromise hosts, servers and networks

Vulnerabilities

• 2 flavors

• bugs – programming mistakes

• Errors in code that could cause a system to hang to an insecure state or allow root access• Incorrect firewall/router/IDS rules

• flaws – improper design

• failing to account for all possibilities in design leads to code with vulnerable ‘features’

Vulnerabilities

• 2-edged sword

• publishing vulnerabilities and patches is only way to fix problem

• once published – the network of hackers is aware of the vulnerability

• patch management is a MAJOR security problem!

Vulnerabilities

• ‘Security by Obscurity’

• attempts to use secrecy to prevent knowledge of vulnerabilities

• vendors of proprietary code are often accused of this

• zero-day attack

• attack takes place during the window between when a vulnerability becomes known and a patch is discovered

Between a ‘rock and a hard place’

• what do you do if you discover a vulnerability in a product and a patch is not available?

• do you keep it secret until a patch is developed?

• this leaves customers vulnerable• the vendor may not work to fix it since there is no pressure

• do you publicize it to put pressure on the vendor?

• knowing that by doing so you have notified all of the hacker community

Between a ‘rock and a hard place’

Example 1:

• In 2009 Microsoft announced vulnerability in SMB subsystem that could leave servers vulnerable to DOS attack

• there was no patch yet

• IT managers had two choices

• disable SMB – meaning some systems would not work

• wait for patch and pray there would not be an incident

Between a ‘rock and a hard place’

Example 2:

• in 2008 a Mass. Dist. Judge ordered MIT students to NOT present information at DefCon regarding a vulnerability in the MTA ‘CharlieTicket’ system

• judge said intent was not to silence students but enforce a reasonable period during which a fix could be found

• the gag order was overturned, but not until after DefCon had concluded

http://www.informationweek.com/news/security/vulnerabilities/210002185

Vulnerability Management

• many strategies for managing vulnerabilities

• vulnerability scanners• vulnerability notification• vulnerability information online through CERT• vulnerability and penetration testing services

• these go hand-in-hand with adequate patch management

Vulnerability Scanners• programs that scan a network, host or application for known vulnerabilities

• Types• port scanner – looks for open ports (nmap)• network enumerator – provides information on groups, usernames, shares and services (nmap and nessus)• network vulnerability scanner – looks for vulnerabilities in network resources and servers (nessus, SAINT)• Web application security scanner – looks for vulnerabilities in Web servers and scripts (SAINT, Metasploit Pro)• Database security scanner – Looks for vulnerabilities in DBMS and SQL code (Safety Lab Shadow)

Vulnerability Notification• many vendors will either mail a notification or post to a Web site when a vulnerability has been found and how to patch it

• services exist that maintain vulnerability lists for multiple products and will provide notification

• with many of these you provide a list of the software and versions in your organization

Vulnerability Notification• examples

• Vupen Security vulnerability services

http://www.vupen.com/english/services/

• SecureNet Solutions vulnerability notification service

http://www.securenetsol.com/am_trial_terms.html

• Secundia CSI free for home users

http://secunia.com/vulnerability_scanning/personal/

Vulnerability Notification

• CERT (Computer Emergency Response Team) at CMU

• provides weekly list of known vulnerabilities

• organization security team matches inventory of software and versions to this list

http://www.cert.org/advisories/

http://www.us-cert.gov/cas/bulletins/

Threats – the counterpart to vulnerabilities• Threats exploit vulnerabilities

• vulnerability – you left your car unlocked• threat – criminals going through shopping center parking lots looking for unlocked cars

• Fortinet’s FortiGuard Center Threat Research and Response Center provides Threat reports and advisories

http://www.fortiguard.com/

• Awareness of threat landscape can help to prioritize vulnerabilities

Top 3 Application Vulnerabilities1 – Buffer overflow

• software may not enforce array bounds• can allow buffers (arrays used for I/O) to overflow and overwrite code area• some malware works this way ‘smashing the stack’• mainly aimed at systems that allow code to be executed with privileged rights

• best addressed in design and programming• patches can often fix this in vendor-supplied software

http://www.windowsecurity.com/articles/Analysis_of_Buffer_Overflow_Attacks.html

http://www.youtube.com/watch?v=kZZgNnhxA_4 (6 min)

Top 3 Application VulnerabilitiesAccording to CERT

2 – cross-site scripting

• code is injected into communications from a Web site• most ‘drive-by’ malware uses this method• often relies on social engineering to get user to follow link (Banks are especially targeted)

• Web script writers can validate input and clense output• script disabling (although not always practical)• use of least-privilege account

http://www.ibm.com/developerworks/tivoli/library/s-csscript/

Top 3 Application VulnerabilitiesAccording to CERT

3 – SQL injection

• commands passed through Web form to SQL DBMS• can exploit lack of security and gain control of server

• solution is to add code to validate input

http://www.youtube.com/watch?v=jMQ2wdOmMIA (3 min)

Vulnerability ManagementGartner defines 6 steps for vulnerability management

• Define policy• Baseline the environment• Prioritize vulnerabilities• Mitigate vulnerabilities• Maintain and monitor

Patch Management• requires coordinated effort

• knowing which patches are available• testing patches• scheduling patch installation

http://www.patchmanagement.org/pmessentials.asp

• however – many systems remain unpatched

• some applications (such as firefox) push patches

• others (such as adobe) allow users to decide

Patch Management• although recognized as a major security problem – patch management is seen as a burden by traditional IT management

• it sucks up resources• it adds nothing to the bottom-line

http://www.computerworld.com.au/article/44872/patch_management_burdens_customers/?fp=16&fpid=0