Docstoc

Vulnerabilities

Document Sample
Vulnerabilities Powered By Docstoc
					Vulnerabilities
                  Vulnerabilities
• flaws in systems that allow them
to be exploited

   • provide means for attackers to
   compromise hosts, servers and
   networks
Vulnerabilities

     • 2 flavors

        • bugs – programming mistakes

            • Errors in code that could cause
            a system to hang to an insecure
            state or allow root access
            • Incorrect firewall/router/IDS rules

        • flaws – improper design

            • failing to account for all
            possibilities in design leads to
            code with vulnerable ‘features’
                 Vulnerabilities
• 2-edged sword

   • publishing vulnerabilities and patches is
   only way to fix problem

   • once published – the network of
   hackers is aware of the vulnerability

   • patch management is a MAJOR
   security problem!
Vulnerabilities
    • ‘Security by Obscurity’

       • attempts to use secrecy to prevent
       knowledge of vulnerabilities

       • vendors of proprietary code are often
       accused of this

    • zero-day attack

       • attack takes place during the window
       between when a vulnerability becomes
       known and a patch is discovered
  Between a ‘rock and a hard place’
• what do you do if you discover a vulnerability
in a product and a patch is not available?

    • do you keep it secret until a patch is
    developed?

        • this leaves customers vulnerable
        • the vendor may not work to fix it since
        there is no pressure

    • do you publicize it to put pressure on the
    vendor?

        • knowing that by doing so you have
        notified all of the hacker community
Between a ‘rock and a hard place’
           Example 1:

              • In 2009 Microsoft announced vulnerability
              in SMB subsystem that could leave servers
              vulnerable to DOS attack

                  • there was no patch yet

                  • IT managers had two choices

                      • disable SMB – meaning some
                      systems would not work

                      • wait for patch and pray there would
                      not be an incident
  Between a ‘rock and a hard place’
Example 2:

   • in 2008 a Mass. Dist. Judge ordered MIT
   students to NOT present information at
   DefCon regarding a vulnerability in the MTA
   ‘CharlieTicket’ system

   • judge said intent was not to silence
   students but enforce a reasonable period
   during which a fix could be found

   • the gag order was overturned, but not
   until after DefCon had concluded

   http://www.informationweek.com/news/security/vulnerabilities/210002185
Vulnerability Management
        • many strategies for managing
        vulnerabilities

           • vulnerability scanners
           • vulnerability notification
           • vulnerability information online through
           CERT
           • vulnerability and penetration testing
           services

        • these go hand-in-hand with adequate patch
        management
         Vulnerability Scanners
• programs that scan a network, host or
application for known vulnerabilities

   • Types
      • port scanner – looks for open ports (nmap)
      • network enumerator – provides information on
      groups, usernames, shares and services (nmap and
      nessus)
      • network vulnerability scanner – looks for
      vulnerabilities in network resources and servers
      (nessus, SAINT)
      • Web application security scanner – looks for
      vulnerabilities in Web servers and scripts (SAINT,
      Metasploit Pro)
      • Database security scanner – Looks for
      vulnerabilities in DBMS and SQL code (Safety Lab
      Shadow)
Vulnerability Notification
        • many vendors will either mail a
        notification or post to a Web site
        when a vulnerability has been found
        and how to patch it

        • services exist that maintain
        vulnerability lists for multiple
        products and will provide notification

           • with many of these you provide a list
           of the software and versions in your
           organization
Vulnerability Notification
        • examples

           • Vupen Security vulnerability services

           http://www.vupen.com/english/services/

           • SecureNet Solutions vulnerability
           notification service

           http://www.securenetsol.com/am_trial_term
           s.html

           • Secundia CSI free for home users

           http://secunia.com/vulnerability_scanning/p
           ersonal/
      Vulnerability Notification

• CERT (Computer Emergency
Response Team) at CMU

  • provides weekly list of known
  vulnerabilities

  • organization security team matches
  inventory of software and versions to
  this list

  http://www.cert.org/advisories/

  http://www.us-cert.gov/cas/bulletins/
Threats – the counterpart to
       vulnerabilities
       • Threats exploit vulnerabilities

          • vulnerability – you left your car unlocked
          • threat – criminals going through shopping
          center parking lots looking for unlocked cars


       • Fortinet’s FortiGuard Center
       Threat Research and Response
       Center provides Threat reports and
       advisories

       http://www.fortiguard.com/

          • Awareness of threat landscape can help to
          prioritize vulnerabilities
Top 3 Application Vulnerabilities
1 – Buffer overflow

   • software may not enforce array bounds
   • can allow buffers (arrays used for I/O) to overflow and
   overwrite code area
   • some malware works this way ‘smashing the stack’
   • mainly aimed at systems that allow code to be executed
   with privileged rights

   • best addressed in design and programming
   • patches can often fix this in vendor-supplied software

   http://www.windowsecurity.com/articles/Analysis_of_Buffer_O
   verflow_Attacks.html

   http://www.youtube.com/watch?v=kZZgNnhxA_4 (6 min)
Top 3 Application Vulnerabilities
           According to CERT

           2 – cross-site scripting

              • code is injected into communications from a
              Web site
              • most ‘drive-by’ malware uses this method
              • often relies on social engineering to get user to
              follow link (Banks are especially targeted)

              • Web script writers can validate input and clense
              output
              • script disabling (although not always practical)
              • use of least-privilege account

              http://www.ibm.com/developerworks/tivoli/library/s-csscript/
  Top 3 Application Vulnerabilities
According to CERT

3 – SQL injection

   • commands passed through Web form to SQL
   DBMS
   • can exploit lack of security and gain control of
   server

   • solution is to add code to validate input

   http://www.youtube.com/watch?v=jMQ2wdOmMIA (3
   min)
Vulnerability Management
       Gartner defines 6 steps for vulnerability
       management

          • Define policy
          • Baseline the environment
          • Prioritize vulnerabilities
          • Mitigate vulnerabilities
          • Maintain and monitor
Patch Management
    • requires coordinated effort

        • knowing which patches are available
        • testing patches
        • scheduling patch installation

        http://www.patchmanagement.org/pmessentials.asp


    • however – many systems remain
    unpatched

        • some applications (such as firefox) push
        patches

        • others (such as adobe) allow users to
        decide
                 Patch Management
• although recognized as a major security
problem – patch management is seen as a
burden by traditional IT management

    • it sucks up resources
    • it adds nothing to the bottom-line

http://www.computerworld.com.au/article/44872/p
atch_management_burdens_customers/?fp=16&
fpid=0

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:10
posted:11/11/2011
language:English
pages:20