The Top Twenty Internet Security Vulnerabilities by xrh13975

VIEWS: 6 PAGES: 47

									The Top Twenty Internet Security
         Vulnerabilities
               and
      How To Get Rid Of Them
Agenda

Press Conference:
   Announcing the new Top 20 (Alan Paller)
   Governmental Leaders (Steve Cummings and Sallie McDonald)
   Testing For The Top 20 (Gerhard Eschelbeck and Alan Deane)
   Using The Top 20 in Procurement (Virginia Tech)
   Press Questions
Technical Briefing on The Top 20
   What damage and costs are enabled by these vulnerabilities?
   Best practice in eliminating them: The NASA and DoT stories
   How are the Top 20 determined?
   Understanding and blocking the vulnerabilities. (Erik Kamerling)
   Questions
Technical Briefing on Lessons Learned IN FISMA
The Slammer Worm

 January 2003
 75,000 victims in 10 minutes
 Attacked a vulnerability in SQL Server that
 was also embedded in other software
 Disabled ATM machines, disabled 911
 systems, disabled airline scheduling systems
Big problem is hidden vulnerability

 Although Beth Israel (hospital in Boston) had
 patched its SQL Server machines using Service
 Pack 3 in July, however, IT staff didn't anticipate the
 worm spreading through the vulnerable Microsoft
 Data Engine 2000 (MSDE) component, which was
 also affected by the SQL vulnerability and was
 installed on personal computers running Microsoft
 Office XP in the hospital's research area and in
 private offices, Those nonserver machines caused
 the slowdowns on the hospital’s network.
              IDG News Service, January 27 2003
How do you stop worms?

 Eliminate the vulnerabilities, but how?
 Test for all vulnerabilities on some systems
 and send an audit report pointing out the
 problems.
 Test for all vulnerabilities on all systems and
 send an audit report containing all of them
 problems.
Best Practice In Eliminating
Vulnerabilities

Select the most critical subset of
vulnerabilities and systematically find and
eradicate them.
Select the next set and find and eradicate
them while continuing to monitor for the first
set reemerging on new or updated machines.
Select the next set ….
But what are the most critical
vulnerabilities

 The ones that are being widely used in
 automated attacks.

 Only a few people have the experience
 needed to identify the commonly exploited
 vulnerabilities.
Examples of the Top Windows
Vulnerabilities

New: Outlook
Internet Information Server (IIS)
Microsoft Data Access Components (MDAC)
Microsoft SQL Server
Windows Peer to Peer File Sharing (P2P)

Each has multiple holes, and those are listed
in the Top 20 and continually updated
through the year.
Examples of Top UNIX/Linux
Vulnerabilities

 BIND (domain name service)
 RPC
 Apache
 Sendmail
 SNMP
 SSH
 OpenSSL
Action Plan

 Decide it is worth eradicating the critical
 vulnerabilities
 Find them
 Provide incentives for system administrators
 to eradicate them
 Require vendors to help keep your systems
 free of these vulnerabilities
Government Leadership

Steve Cummings, Director of the UK National
Infrastructure Security Co-ordination Centre
(NISCC)
Sallie McDonald, Director of Outreach
Programs for Infrastructure Protection, US
Department of Homeland Security (DHS)
Jim Harlick, Assistant Deputy Minister of the
Government of Canada's Office of Critical
Infrastructure Protection and Emergency
Preparedness (OCIPEP)
Security Industry Responds

 Gerhard Eschelbeck, Chief Technology
 Officer, Qualys
 Alan Deane, Vice President, Foundstone
Buyers Demand Vendor Support

 Randy Marchany, Director of VA-Scan and
 Chief Security Technologist for Virginia Tech
Press Questions
Agenda

Technical Briefing on The Top 20
  What damage and costs are enabled by these
  vulnerabilities?
  Best practice in eliminating them: The NASA and DoT
  stories
  How are the Top 20 determined?
  Understanding and blocking the vulnerabilities.
  Questions
Technical Briefing on Lessons Learned IN FISMA
The Slapper Worm

 Sept. 2002
 Tens of thousands of victims
 Attacked SSL vulnerabilities in Linux Apache
 Web servers
 Collected victims in a network ready for use
 in DDoS attacks
The Slammer Worm

 January 2003
 75,000 victims in 10 minutes
 Attacked a vulnerability in SQL Server that
 was also embedded in other software
 Disabled ATM machines, disabled 911
 systems, disabled airline scheduling systems
Big problem is hidden vulnerability

 Although Beth Israel (hospital in Boston) had
 patched its SQL Server machines using Service
 Pack 3 in July, however, IT staff didn't anticipate the
 worm spreading through the vulnerable Microsoft
 Data Engine 2000 (MSDE) component, which was
 also affected by the SQL vulnerability and was
 installed on personal computers running Microsoft
 Office XP in the hospital's research area and in
 private offices, Those nonserver machines caused
 the slowdowns on the hospital’s network.
              IDG News Service, January 27 2003
Slapper victims act

 339 Slapper victim systems attack a US
 intelligence agency web site
 More than 1,000,000 packets per second
 Intelligence agency site knocked out from 9
 AM Friday to 11 AM Saturday
 339 is about 1% of Slapper’s 30,000 victims.
Code Red and Nimda

 150,000 to 300,000 victims
 Exploited a Microsoft IIS vulnerability
 Clean-up costs were $300-$600 per system.
 Adds up to $80 million in direct labor
 Left back doors
Code Red made 150,000 systems vulnerable
to instant attack by anyone on the web
Worms

  Enable DDoS attacks
  Cost a fortune to clean
  Steal passwords and
   leave back doors

   All made possible by
  common vulnerabilities
Economic Crime

       Changing web pages
       Stealing credit card
       numbers and other
       private data
               Denies fallacious
               press release on
               their own website




Appalled by
the ruthless
attempt to
manipulate
More than 100 organizations report extortion…



                             40 victims
                             in 20 states




                                Organized crime
                                groups in Russia and
                                Ukraine
Hacker Recreation


         Web Defacement
         Storage
         Cut-outs
How many .gov & .mil sites were
hacked in 100 days?
  Administrative Office of the U.S. Courts (www.mab.uscourts.gov)
  Army NE Region Civilian Personnel Operation Center (cpocner.apg.army)
  Army Signal Command (www.mears.redstone.army.mil)
  Washington, DC (www.ci.washington.dc.us)
  Defense Automated Printing Service (dodssp.daps.mil)
  DISA Information Systems Center (maestro.den.disa.mil)
  DOI US Bureau of Reclamation (www.mp.usbr.gov)
  DOI US DOI, Bureau of Land Management (adoptahorse.blm.gov)
  DoT National Transportation Safety Board (www.ntsb.gov)
  DoT United States Department of Transportation (stratplan.dot.gov)
  Energy Sandia National Laboratories (samt4831.sandia.gov)
  Federal Maritime Commission (www.fmc.gov)
  Government Printing Office (www.gpo.gov)
  Multistate Tax Commission (www.mtc.gov)
  NASA #2 Technical Info, Jet Propulsion Labs (NASA) (techinfo.jpl.nasa.gov)
  NASA Aviation Systems Division (www.aviationsystemsdivision.arc.nasa.gov)
  NASA LARC NASA (se-pc7.larc.nasa.gov)
  NASA National Aeronautics and Space Administration (toyota.gsfc.nasa.gov)
  NASA Technology Server, NASA (technology.nasa.gov)
  National Highway Traffic Safety Administration (www.nhtsa.dot.gov)
  National Institutes of Health (intra.ninds.nih.gov)
  National Library of Medicine SIS5 Server, NIH (sis5.nlm.nih.gov)
  MORE….
More .gov and .mil sites hacked

NOAA Central Administrative Support Center, NOAA (www.casc.noaa.gov)
NOAA National Oceanic and Atmospheric Admin (storms-dev.nos.noaa.gov)
NOAA National Oceanic and Atmospheric Administration (vortex.cmdl.noaa.gov)
NSF National Science Foundation (roga.nsf.gov)
U.S. Fish and Wildlife Service (www.fws.gov)
Uniformed Services University of the Health Science (bb.lrc.usuhs.mil)
Uniformed Services University of the Health Science (rcslinux.lrc.usuhs.mil)
US Navy Naval Computer and Telecommunications Station (med01.nctsw.navy.mil)
US Navy Jaxm Navy (www.jaxm.navy.mil)
US Navy Naval Ocean Systems Center (iph-nt5.nosc.mil)
US Navy Naval Pacific Meteorology and Oceanography Center, Yokosuka, Japan
(www.yoko.npmoc.navy.mil)
US Navy NLMOC Navy (jf.nlmoc.navy.mil)
US Navy www.nasjax.navy.mil (www.nasjax.navy.mil)
US Office of Surface Mining (feecomp.osmre.gov)
USGS United States Geological Survey (mrdata.usgs.gov)

Total reported and mirrored at attrition.org Aug 1 – Nov. 10, 2000:   37
By Spring, 2001 on average one new site was defaced every day:   100
 How could that many be defaced in such a short time?
A hacker is watching this young man through the young
man’s web cam.
The young man is reading words the hacker caused
to appear on the young man’s computer screen.
Major costs

 Worms for DDoS
 Economic crimes – primarily extortion
 Web defacement and loss of privacy
The Bottom Line



 A small number of vulnerabilities
    account for a large share of
         successful attacks.
Best Practice In Eliminating The
      Top Vulnerabilities



               The NASA Case Story
NASA Is A Prime Target Of Attackers

 Large open network – 80,000 systems – of
 researchers
 High visibility web site – photographs from
 the space program
 Symbol of US power
 Technology of interest to governments and
 companies around the world
NASA’s program - part 1

Summer 1999 – identified high priority vulnerabilities
that could be tested remotely
Acquired a scanning tool
Tested all 80,000 systems quarterly
Computed ratio of vulnerabilities to machines
Started at 1.3.
Within 12 months the ratio was 0.16
Set an even lower goal of 0.01
Within 12 more months the ratio was 0.0068 (fewer
than 7 vulnerabilities per thousand systems)
NASA’s program – part 2

 9 months into the project, a second set of
 vulnerabilities was introduced with a target
 ratio of .25 vulnerabilities/system scanned
 Within six months the ratio was .097.
 Implemented a third and fourth series in
 FY02
 Resources are educated and prepared so
 new vulnerabilities can be eliminated almost
 immediately.
Proof that NASA’s program works

   Ratio of Successful Attacks to Hostile Probes

   10%
   9%
   8%
   7%
   6%
                                                     Agency
   5%
                                                     US-DoD
   4%
   3%
   2%
   1%
   0%
         2000- 2000- 2000- 2001- 2001- 2001- 2001-
          Q2    Q3    Q4    Q1    Q2    Q3    Q4
Lessons learned

Give sysadmins time to fix problems before requiring
the first report to headquarters – allows sysadmins to
succeed (and become security heroes)
Using a series of sets of a limited number of
vulnerabilities allowed expertise to be developed and
tools to be shared for correcting the problems.
Plotting ratios of all NASA centers on the same chart
led to healthy competition.
Senior executives pay attention to the charts and the
resultant visibility empowers the sysadmins to act.
Does full-scale vulnerability testing
work just as well?

 A company experiences a penetration and senior
 management demands vulnerability testing.
 Vulnerability testing tools compete for customers
 based on the number of tests they run.
 Users do not know which tests to leave out, so they
 run all the tests.
 The complete scan report has 5-30 vulnerabilities
 per system.
 A 10,000 system scan can result in more than
 50,000 things to fix.
 Senior security or executive management sends the
 huge report to the sysadmins with a note saying they
 must be fixed “in six weeks.”
What happens next

 Sysadmins see certain defeat – consider
 quitting.
 They recognize senior management support
 allows them to fix the most critical
 vulnerabilities, so they start.
 They are pulled off the project for some more
 critical (marketing) short term project.
 Another penetration happens and the cycle
 begins again.
How does NASA’s approach help?

 Sysadmins can succeed because the job is
 one that can be finished quickly.
 Visible monitoring maintains attention and
 pressure to complete the task.
 Satisfaction rises
Key lessons from NASA

 Check every machine
 Start with a small set of vulnerabilities – those that
 are exploited most often
 Allow the system administrators to compete and win
 the race to remove the vulnerabilities
 When set 1 is fixed, start on set 2; continue testing 1.
 Use the capability and skills to remove critical new
 vulnerabilities rapidly
 Costs are surprisingly low: $30-40 per machine, and
 most of that is sysadmin labor.
The Top 20 Internet Security
      Vulnerabilities
Started in July 2000

 Goal: Allow other organizations to get
 benefits NASA was experiencing
 First year: 10 items, no testing tools
 Second year: 20 items, some not testable,
 one testing tool.
 Third year: 20 items, all testable, seven tools
 including all the leaders
 This year: Updated lists.
How are they chosen?

 The team: Thirty people and organizations that have
 front line experience in red teaming and forensics
 and compromise-related activities (examples: NSA,
 NASA, SANS, CERT/CC).
 Each is invited to list the top twenty based on what
 they have seen as vehicles for successful attacks.
 The project leader (Jeff Campione of the Federal
 Reserve) compiles the first ranking
 The team reaches consensus
Action Plan

 Get management support for a project to reduce
 vulnerabilities
 Set up a sysadmin/security group too oversee the
 project and share techniques for correcting
 problems.
 Offer a Top 20 testing capability to all divisions for 90
 days before asking for results.
 Run quarterly tests. Set an organizational goal.
 Get management to reward organizational units that
 do the best job.
What Are The Top 20?

           Erik Kamerling,
           Top 20 Project
           Director

								
To top