Past_Present_Future

Document Sample
Past_Present_Future Powered By Docstoc
					                          Proactive Network Security



Vulnerabilities and Threats:
The Past, Present and Future
Mike Murray - Director of Vulnerability Research
March 29, 2006
Intro
•   The Past: Pen-Testing and Vulnerability Assessment
•   The Present: Vulnerability Management
•   The Future…
•   Disclaimers
    – Information Technology Focused
    – Vendor Neutral
• Objectives
    – Present information to help you understand your information
      security strategy today and tomorrow




                          Toronto Area Security Klatch
The Birth of Vulnerability Assessment

                            WheelGroup
                            NetSonar
        ISS                 Cisco ’98 –
        Internet            EOL 2002                               eEye
        Scanner                                                    Retina
                   Secure             Axent
 Dan Farmer        Networks           NetRecon              Renaud
 SATAN             Cybercop           Symantec              Deraison        Qualys
 Open Source       NAI ’98 – EOL                            Nessus          QualysScan
                   2002                                     OpenSource      Service




1995               1996                                     1998            1999




                             Toronto Area Security Klatch
The Birth of Vulnerability Assessment

                              WheelGroup
                              NetSonar
        ISS                   Cisco ’98 –
        Internet              EOL 2002                               eEye
        Scanner                                                      Retina
                     Secure             Axent
 Dan Farmer          Networks           NetRecon              Renaud
 SATAN               Cybercop           Symantec              Deraison        Qualys
 Open Source         NAI ’98 – EOL                            Nessus          QualysScan
                     2002                                     OpenSource      Service




1995                 1996                                     1998            1999
       Security Configuration
       Weakness                                          The Age of the
                                                        Buffer Overflow


                               Toronto Area Security Klatch
Security Configuration Weaknesses
• The Earliest Discovery
   – Exploits mostly human weakness in setting up operating
     systems

• Simple class of attacks
   – Exploiting access control failures
       • Improper Directory permissions
       • Unrestricted access to servers
       • Failures in trust relationships
   – Grabbing password files
   – Incorrect program behavior
   – Debug Interfaces
• Attackers were unsophisticated

                           Toronto Area Security Klatch
The Buffer Overflow
• Phrack 49 - November 8, 1996.
   – Aleph1 - Smashing the Stack for Fun and Profit


• The first real sophisticated vulnerabilities start to emerge
   – A buffer overflow required knowledge of assembly and coding
     skill
   – Hackers now had to be more technical
• Readily available exploit code actually makes breaking in
  to computers easier
   – The “golden age” of server hacking begins.



                         Toronto Area Security Klatch
Past: Vulnerability Assessment


          Delivery Point & Shoot Software
Asset Architecture Run-to-completion Scripts (NASL, FASL, CASL, etc)
 Design Objective Hyper-Focused on finding Vulnerabilities
        Principles Invasive and Proud of it
Skill Level of User Subject Matter Expert Required
  Functional Goal Find Vulnerabilities




                           Toronto Area Security Klatch
The Birth of Vulnerability Management
(agent-less)




 IP360      Foundscan           QualysScan                 REM/Retina     Lightning
Product   Service/Product     Service/Product               Product     Console/Nessus




2001                  2002                                  2003           2004




                            Toronto Area Security Klatch
The Birth of Vulnerability Management
(agent-less)




 IP360          Foundscan           QualysScan                 REM/Retina     Lightning
Product       Service/Product     Service/Product               Product     Console/Nessus




2001                      2002                                  2003           2004
       Buffer Overflows Increase
            Sophistication
                               New Attack Vectors emerge



                                Toronto Area Security Klatch
Memory Attack Sophistication
• Buffer overflows become more sophisticated
   – Polymorphic shell-code
   – More advanced use of memory spaces
   – Design to evade detective controls


• Other memory-based attacks
   – Format String attacks
   – Integer Overflow attacks




                         Toronto Area Security Klatch
New Attack Vectors Emerge
• Web-based applications become a target
   – As web-apps become common, researchers target web apps
   – SQL Injection, XSS, access control breaches
   – Data driven attacks


• Begin to see browser attacks
   – Internet Explorer proves vulnerable




                         Toronto Area Security Klatch
From the Past to the Present


          Delivery Point & Shoot Software
Asset Architecture Run-to-completion Scripts (NASL, FASL, CASL, etc)
 Design Objective Hyper-Focused on finding Vulnerabilities

        Principles Invasive and Proud of it
Skill Level of User Subject Matter Expert Required
  Functional Goal Find Vulnerabilities
From the Past to the Present


          Delivery Infrastructure: Centrally Managed Always On
Asset Architecture Run-to-completion Scripts (NASL, FASL, CASL, etc)
 Design Objective Hyper-Focused on finding Vulnerabilities

        Principles Invasive and Proud of it
Skill Level of User Subject Matter Expert Required
  Functional Goal Find Vulnerabilities
From the Past to the Present


          Delivery Infrastructure: Centrally Managed Always On
Asset Architecture Run-to-completion Scripts (NASL, FASL, CASL, etc)
 Design Objective Hyper-Focused on finding Vulnerabilities

        Principles Invasive and Proud of it
Skill Level of User Subject Matter Expert Required
  Functional Goal Find Vulnerabilities
From the Past to the Present


          Delivery Infrastructure: Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
 Design Objective Hyper-Focused on finding Vulnerabilities

        Principles Invasive and Proud of it
Skill Level of User Subject Matter Expert Required
  Functional Goal Find Vulnerabilities
From the Past to the Present


          Delivery Infrastructure: Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
 Design Objective Hyper-Focused on finding Vulnerabilities

        Principles Invasive and Proud of it
Skill Level of User Subject Matter Expert Required
  Functional Goal Find Vulnerabilities
From the Past to the Present


          Delivery Infrastructure: Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
 Design Objective Find Defects and Manage to Resolution

        Principles Invasive and Proud of it
Skill Level of User Subject Matter Expert Required
  Functional Goal Find Vulnerabilities
From the Past to the Present


          Delivery Infrastructure: Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
 Design Objective Find Defects and Manage to Resolution

        Principles Invasive and Proud of it
Skill Level of User Subject Matter Expert Required
  Functional Goal Find Vulnerabilities
From the Past to the Present


          Delivery Infrastructure: Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
 Design Objective Find Defects and Manage to Resolution

        Principles Non-Invasive & Continuous
Skill Level of User Subject Matter Expert Required
  Functional Goal Find Vulnerabilities
From the Past to the Present


          Delivery Infrastructure: Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
 Design Objective Find Defects and Manage to Resolution

        Principles Non-Invasive & Continuous
Skill Level of User Subject Matter Expert Required
  Functional Goal Find Vulnerabilities
From the Past to the Present


          Delivery Infrastructure: Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
 Design Objective Find Defects and Manage to Resolution

        Principles Non-Invasive & Continuous
Skill Level of User Technical Expert Required
  Functional Goal Find Vulnerabilities
From the Past to the Present


          Delivery Infrastructure: Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
 Design Objective Find Defects and Manage to Resolution

        Principles Non-Invasive & Continuous
Skill Level of User Technical Expert Required
  Functional Goal Find Vulnerabilities
From the Past to the Present


         Delivery Infrastructure: Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
 Design Objective Find Defects and Manage to Resolution

       Principles Non-Invasive & Continuous
Skill Level of User Technical Expert Required
  Functional Goal Find Vulnerabilities and Manage them through a
                  lifecycle
The Present




          nTellect           SIH
          Product          Product




2005                                                                2007
                                              2006
   Client Side Attacks Are Key

                                           Human attacks increase


                         Toronto Area Security Klatch
Client-side attacks
• Microsoft hardens their operating systems
   – As massive server-based vulnerabilities disappear, client
     interaction becomes key
   – We see the majority of issues affect the client


• Major exploits require user-interaction
   – Email
   – Web-page viewing
   – Opening of attachments




                          Toronto Area Security Klatch
Human Weakness
• Attacks rely on social engineering
   – Phishing
   – Spyware/Adware/bot installations
   – “Exploiting by providing value”


• We have come full-circle
   – Humans are, in general, weaker than computers.




                        Toronto Area Security Klatch
Present: Vulnerability Management
          Delivery Infrastructure: Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
Design Objectives Find Defects and Manage to Resolution
        Principles Non-Invasive & Continuous
Skill Level of User Technical Expert Required
 Functional Goals Find Vulnerabilities and Manage them through a
                  lifecycle


• Gartner’s "grand unified theory of security," has defined
  Vulnerability Management as one of four high-level security
  processes that are key to the effectiveness and efficiency of
  enterprise security.


                          Toronto Area Security Klatch
   Creating a Balanced Security Ecosystem
                  “Current enterprise security spending tends to be focused on reactive
                  technologies more than proactive technologies” – Amrit Williams, Gartner

                                                   NAC




“Shrink the Targets”                                                                         “Stop the Bullets”

 Asset Intelligence                                                                             Blocking
         &                                                                                          &
                                       Proactive              Reactive
  Risk Reduction                                                                               Event Mgmt.
      Light Spending

                                                                                              Heavy Spending




                                         Toronto Area Security Klatch
Measure, Manage, & Reduce Risk
• Obstacles
   – Enumeration of Vulnerabilities is an insufficient set
   – The consumer of this information is no longer the security geeks
   – Risk related information is fragmented and out of sync


• Requirements for the future
   – Risk related Intelligence that allows for proper preemptive, preventive,
     and protective actions to be taken.
   – Risk related Intelligence integrated with both other technologies and
     the processes of the enterprise
   – Risk related Intelligence that drives the decision-making ability of the
     business
   – Less is more

                             Toronto Area Security Klatch
Managing Risk Across the Enterprise



        Vulnerability Threat 
       
Risk                        Valuation
        CounterMeasure 




[Ira Winkler & Dan Ryan]   Toronto Area Security Klatch
Definitions
• Vulnerability \Vul`ner*a*bil’’I*ty\, n.
   – “The quality or state of being vulnerable”

• Threat \thr[e^]t\, n.
   – “Intelligence of something that is a source of danger”

• Countermeasures \Coun’’ter’’meas’’ure\, n.
   – “an action taken to offset another action”

• Valuation \Val`u*a”tion\, n.
   – “the act of estimating value or worth; the value set upon a thing”


                          Toronto Area Security Klatch
From the Present to the Future


          Delivery Infrastructure: Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
 Design Objective Find Defects and Manage to Resolution

        Principles Non-Invasive & Continuous
Skill Level of User Technical Expert Required
  Functional Goal Find Vulnerabilities and Manage them through a
                  lifecycle
From the Present to the Future


          Delivery Infrastructure: Distributed
Asset Architecture Advanced Scripts and High Level Languages
 Design Objective Find Defects and Manage to Resolution

        Principles Non-Invasive & Continuous
Skill Level of User Technical Expert Required
  Functional Goal Find Vulnerabilities and Manage them through a
                  lifecycle
From the Present to the Future


          Delivery Infrastructure: Distributed
Asset Architecture Advanced Scripts and High Level Languages
 Design Objective Find Defects and Manage to Resolution

        Principles Non-Invasive & Continuous
Skill Level of User Technical Expert Required
  Functional Goal Find Vulnerabilities and Manage them through a
                  lifecycle
From the Present to the Future


          Delivery Infrastructure: Distributed
Asset Architecture Ontology of end-point state
 Design Objective Find Defects and Manage to Resolution

        Principles Non-Invasive & Continuous
Skill Level of User Technical Expert Required
  Functional Goal Find Vulnerabilities and Manage them through a
                  lifecycle
From the Present to the Future


          Delivery Infrastructure: Distributed
Asset Architecture Ontology of end-point state
 Design Objective Find Defects and Manage to Resolution

        Principles Non-Invasive & Continuous
Skill Level of User Technical Expert Required
  Functional Goal Find Vulnerabilities and Manage them through a
                  lifecycle
From the Present to the Future


          Delivery Infrastructure: Distributed
Asset Architecture Ontology of end-point state
 Design Objective Experts system providing intelligence and
                  automation
        Principles Non-Invasive & Continuous
Skill Level of User Technical Expert Required
  Functional Goal Find Vulnerabilities and Manage them through a
                  lifecycle
From the Present to the Future


          Delivery Infrastructure: Distributed
Asset Architecture Ontology of end-point state
 Design Objective Experts system providing intelligence and
                  automation
        Principles Non-Invasive & Continious
Skill Level of User Technical Expert Required
  Functional Goal Find Vulnerabilities and Manage them through a
                  lifecycle
From the Present to the Future


          Delivery Infrastructure: Distributed
Asset Architecture Ontology of end-point state
 Design Objective Experts system providing intelligence and
                  automation
        Principles Observe, Orient, Decide and Act
Skill Level of User Technical Expert Required
  Functional Goal Find Vulnerabilities and Manage them through a
                  lifecycle
From the Present to the Future


          Delivery Infrastructure: Distributed
Asset Architecture Ontology of end-point state
 Design Objective Experts system providing intelligence and
                  automation
        Principles Observe, Orient, Decide and Act
Skill Level of User Technical Expert Required
  Functional Goal Find Vulnerabilities and Manage them through a
                  lifecycle
From the Present to the Future


          Delivery Infrastructure: Distributed
Asset Architecture Ontology of end-point state
 Design Objective Experts system providing intelligence and
                  automation
        Principles Observe, Orient, Decide and Act
Skill Level of User All Levels of the Organization
  Functional Goal Find Vulnerabilities and Manage them through a
                  lifecycle
From the Present to the Future


          Delivery Infrastructure: Distributed
Asset Architecture Ontology of end-point state
 Design Objective Experts system providing intelligence and
                  automation
        Principles Observe, Orient, Decide and Act
Skill Level of User All Levels of the Organization
  Functional Goal Find Vulnerabilities and Manage them through a
                  lifecycle
From the Present to the Future


          Delivery Infrastructure: Distributed
Asset Architecture Ontology of end-point state
 Design Objective Experts system providing intelligence and
                  automation
        Principles Observe, Orient, Decide and Act
Skill Level of User All Levels of the Organization
  Functional Goal Provide the Security Intelligence needed to
                  measure, managed and reduce operational risk
Requirements for Future Security
Intelligence
•   Considerations
     – Breadth of data to be considered
     – Depth of knowledge to be understood
     – Speed required for decision making

•   Functional Objectives
     – Remote Discovery of IP, Ports, Services, Applications, Vulnerabilities,
       Operating Systems
     – Discovery of Network Transit Paths and Countermeasures (vertices for all
       nodes)
     – Target System Valuations
     – Integrated Counterintelligence of the Threat
     – Continuous, Scheduled, Triggered, and Adhoc discovery
     – Use of Baseline and Benchmarks (SP-800-70)
     – Open Bi-directional Integration of Functionality and Intelligence
     – Complete and Total Integration with the Business Intelligence Systems
                                 Toronto Area Security Klatch
Requirements for Future Security
Intelligence



 Measure, Manage, and Reduce
   Operational Risk through
     Security Intelligence



               Toronto Area Security Klatch
Foreshadowing
• The biggest upcoming threat is mobile devices
   – “Pod Slurping”
   – Mobile Manager devices
   – Massive storage, low profile devices
• Generally developed without security controls in place
   – Designed for the mass market


• We are not prepared.




                         Toronto Area Security Klatch
Thank you



     mmurray@ncircle.com

     http://blog.ncircle.com



            Toronto Area Security Klatch

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:3
posted:8/29/2011
language:English
pages:47