In the second part of his article on CVE security holes, Compliant IT’s Brian Little looks at risk mitigation.
In the previous article
, Hacking is Easy, we spoke about CVEs and how hackers use them to compromise and introduce malware, viruses, keyloggers, rootkits and so on into them.
Computer security experts say 2006 was the year hacking stopped being a hobby and became a lucrative profession. Hackers not only broadened their reach by attacking popular social networking sites, but they also diversified their product line by launching attacks through popular software applications such as PowerPoint and Adobe Reader.
So if CVEs are being exploited to this extent then these security flaws have to be managed thus making vulnerability management one of our foremost priorities. Furthermore, the level of security achieved by removing CVEs from IT and network assets helps corporations to comply with regulations such as ISO 27001, GLBA, HIPAA, 21 CFR FDA 11, E-Sign, and SOX-404.
Certainly, vulnerability management is more than a network security solution; it is a real approach to total IT security. It is a process (based on hardware or software) that identifies, reports, tracks and optionally repairs different 'IT weaknesses'. It is a solution to prevent IT security problems due to intentional or non-intentional attacks. It is the tool to avoid the exploit of vulnerabilities. It is a way to mitigate the risk of enterprise IT.
A high-end vulnerability management solution must include the discovery and identification of all assets on the IT infrastructure. Vulnerability management must work in conjunction with regulatory and/or compliance requirements, for each specific industry (or vertical market). It must be performed on a frequent basis as the vulnerabilities increases day-to-day and must work with an updated and trusted database to check the vulnerabilities and their exploits.
The best summary is the definition of the NIST:
“Vulnerability management is a secure practice designed to proactively prevent the exploitation of IT vulnerabilities that exist within an organisation. The expected result is to reduce the time and money spent dealing with vulnerabilities and exploitation of those vulnerabilities. Proactively managing vulnerability of systems will reduce or eliminate the potential for exploitation and involve considerably less time and effort than responding after and exploitation has occurred.” – NIST Special Publication 800-40 Version 2.0, November 2005.
Necessary countermeasures like firewalls or anti-anything (anti-virus, anti-spam, anti-spyware, etc) are all reactive security tools, but a high-level security policy must include tools to find CVE. Currently, there are more than 30 000 reported vulnerabilities, but only 20 000+ CVEs. CVEs can be consulted at several sources:
The MITRE Corporation for example is a not-for-profit organisation chartered to work in the public interest. MITRE works on systems engineering, information technology, operational concepts, and enterprise modernisation. MITRE has 5900 scientists, engineers and support specialists, 65% of whom have Masters or Ph.D. degrees. MITRE Corporation maintains CVE, which is sponsored by US-CERT at the US Department of Homeland Security. The term CVE refers to the industry standard dictionary that provides common names for publicly known information security vulnerabilities and exposures. By assigning a common name to each CVE, the CVE standard makes it easier to share data across separate databases and tools that until now were not easily integrated
Hacker methodology – exploit CVEs
All Hackers and the automated tools they have created use the same methodology:
1. Footprint your servers, desktops and network infrastructure.
2. Scan for numbers of computers, open ports, services running.
3. Enumerate those servers and services they can find.
4. Penetrate those systems that have high-risk CVEs.
5. Escalate their privileges to become a super-user or administrator.
6. Pillage your information and customer records.
7. Get interactive including installing helper software to let them in later.
8. Expand influence by replacing trusted programs with backdoors.
9. Cleanup their tracks including firewall and server logs.
And if they want to disrupt your business, they will perform:
10. DoS (denial of service) attacks against you or others, using your resources.
Hacking an online bank’s data centre
“One strategy is to attack the hardware itself, exploiting notoriously glitch-prone Web systems to gain access to the servers running the bank’s online operations.
“Most banks run Unix Web servers or Microsoft IIS (Internet Information Server), and both are prone to remote attacks that can allow a hacker to take control of the server itself,” said David Ahmad, the moderator of the Bugtraq mailing list, one of the leading e-mail lists dedicated to reports of software vulnerabilities.
Companies including financial institutions subscribe to the list. “In seizing control of a server, security experts say, a hacker can also modify any trusted applications to perform malicious operations. An attack that manipulates such internal applications is more likely to escape notice by the network’s electronic guards. “Intrusion-detection systems only spot known attacks or behaviours that indicate a certain class of attack,” Ahmad said. “Attacks against a server might be detected, but a complex application-based attack might look like normal behaviour.”
It is crucial today to prevent vulnerabilities across the enterprise and remove your genetic defects. Knowing what they are, where they are on your network, and how to remove them is more important than sniffing packets and listening for burglars.
Take this opportunity to harden your network assets by using the following formula:
4. Test for the latest CVEs on a daily basis
5. Report on your CVEs on a daily, weekly or monthly basis (due diligence)
6. Remove all CVEs that you possibly can (due care)
7. Block at the Firewall and at the SmartSwitch (increase uptime)
Hackers, viruses and worms cause billions in damages by using CVEs against us and the damages are growing annually. How many CVEs do you have in your network? Is your computer network taking you out of compliance? Knowing if you have any CVEs is the only way to find out and is considered due diligence. Removing critical CVEs is considered due care. Frequent and consistently scheduled security audits for CVEs and their removal is the only prudent thing to do as a proactive information security manager.
Gary Miliefsky – Founder and CTO NetClarity, CISSP, Holder of six e-commerce patents and 12 network security patents (published and pending)
Protecting Against Hackers, Viruses and Worms Copyright © 2005, NetClarity All rights reserved worldwide.