Technology and the Vulnerability Lifecycle

Protecting a network from attacks requires multiple layers of defense along the lifecycle of the vulnerabilities that these attacks leverage. The lifecycle of vulnerabilities refers to the various stages that network systems go through as vulnerabilities are discovered, patches developed, remediation applied and protection monitored. Multiple layers of technology are required through the lifecycle, including for example technology to look for anomalies and uncovering zero-day attacks. IPS technologies can be deployed to protect against both known and unknown attacks. Vulnerability scanners can locate and alert you to vulnerabilities that require administrative effort to close. Remediation suites can assist in patching and deploying policy fixes to close vulnerabilities once they are located.

Process is an equally important aspect of how the vulnerability lifecycle can affect your organization. Having a process in place to discover new vulnerabilities in a timely manner is critical. In addition, having one to locate existing vulnerabilities is important as well. Closing those holes requires a different process. There are a variety of services available to your organization to help you design and implement these processes in a way that tailor fits to your organization.

TECHNOLOGY: Don't Use a Hammer When You Need a Screwdriver

There are numerous types of "security" technologies available to an IT administrator. Many help protect the network in a passive manner; others take a more active stance in protection and some deal with data integrity and protection. This article focuses on technologies that specifically deal with vulnerabilities, rather than security products as a whole.

Network monitoring tools are the first layer of defense against attack. Network uptime monitors offer a network administrator visibility to what devices are out there and the current status of those devices. This is a basis for which all other network security decisions should be made on. Other monitoring tools, such as network sniffers or network traffic analyzers give very detailed information about the traffic occurring on a network. These products give packet and stream level data to an administrator allowing deep analysis of anomalous traffic and the ability to locate new attacks that are occurring, potentially in real-time.

The second layer of defense is the IDS and IPS layer. These devices are located on the network and on hosts in the network to protect hosts from attacks. IDSs typically focus on detecting attacks, while IPSs focus on protecting networks from attacks. IDS can typically monitor larger chunks of the network, while IPSs tend to focus on individual devices in a protective mode. There are hybrids that provide both detection and protection functions, in addition to numerous other security related features. One important thing to remember is that many of these solutions rely on signatures, which only focus on vulnerabilities that have been made public. Zero-day vulnerabilities can slide past many of these devices unless they are designed to protect against both known and unknown attacks via protocol analysis and layered defense.

The third layer of defense is active vulnerability scanning, which can locate new devices on your network and it can provide an ‘attacker level’ view of your network. It can give deep vulnerability analysis of hosts under your control. This layer of defense is important for maintaining your vigilance of your network. Even with the tightest firewall rule set and layer after layer of security, without consistent auditing, there is no proof that the technologies you rely on to secure your network are protecting you as you think they are. Additionally, checking repeatedly will ensure that no new threats pop up on your network that may have otherwise gone undetected.

The final layer of vulnerability lifecycle management technology is the remediation suite. The purpose of a remediation suite is to offer a toolkit to an administrator to quickly and easily fix security related problems on their network. This has been traditionally used in an IT setting for systems management and patch deployment, but is increasingly useful in a security context. These tools offer broad capabilities to help close the holes.

PROCESS: Walking the Walk

Process fills in the gaps where technology can never truly reach. This covers the human aspect; having trained people who are good at what they do is of the utmost importance. Training and consulting can help fill the gaps if your organization is lacking anywhere. Process should be in place for various aspects of the vulnerability lifecycle.

The first process to have in place is an incident response policy. This is the unfortunate protocol that goes into effect once an attack has succeeded and you need to collect information and ensure the integrity of the rest of your network. This is often overlooked until it becomes needed, and without realizing the possible fallibility of the rest of an IT security infrastructure many people think they won’t need one. It is wise to follow the Boy Scout motto and “be prepared”.

The next process to consider is a vulnerability knowledge process. This process dictates how you learn details about vulnerabilities and how you build plans to deal with those vulnerabilities. Some people chose to read trade magazines -- while it is true that large scale vulnerabilities can reach these, often by that time it is too late to deal with vulnerability. Free notice lists, such as Bugtraq and Secunia are a great resource to keep up to date. There are also subscription notice services that will give you additional data, but often you are simply buying summary reports of free sources.

eEye has devoted a large amount of intellectual resources to bug discovery, and our research site often has details available nowhere else. Visit www.eeye.com/research for more information.

Another process to take into account is a vulnerability discovery process or audit process. This tells you when and what should be checked and re-checked in a security audit. This can be done internally by penetration test teams, or outsourced to a consulting company. There are many managed service providers (MSPs) that offer this process for a monthly service fee.

The final process to consider is the vulnerability remediation process. This tends to tie in with the vulnerability discovery process, as vulnerabilities discovered there should be remediated according to this process. This is the process that most closely needs to fit an IT organization's internal rules for patch scheduling and uptime requirements. Many patches and fixes can cause downtime to apply and must be scheduled to fit existing windows. Remediation tools can help this process. Additionally, results from this process should be double-checked with an additional vulnerability discovery run to make certain the holes were in fact closed.

In summary of this series, I would like the reader to understand the vulnerability lifecycle, how it affects them, and the tools they have at their disposal to help. There is often a misunderstanding of how all of this comes together and I hope that we have brought the pieces a bit closer in understanding. The correct use of vulnerability knowledge, planning, and tools should greatly reduce your organization's risk to the next vulnerability to hit the net.

For more information on ways to secure your network before, during and after an attack please visit www.eeye.com.

Source: Ryan Permeh, Senior Software Engineer, eEye Research Team

SecurityProNews.com: Corporations Slow To Install SP2
"A study conducted by AssetMetrix determined a large number of corporate PCs have been slow to install Microsoft's Windows XP Service Pack 2." Full Article

eWeek: 'High Risk' Flaws Found in IE, Outlook
"A pair of newly discovered security flaws in Microsoft's Internet Explorer and Outlook programs could put millions of users at risk of code execution attacks, a private research outfit warned Thursday." Full Article

Washington Post: No More Excuses for Internet Fraud
"They say there's a sucker born every minute, and it seems like most of them have e-mail accounts. But don't blame technology. Common sense is every computer user's responsibility." Full Article

Computerworld: Hackers Plot More Phishing, Mobile Viruses
"More than 1,000 vulnerabilities were discovered in the first quarter of this year, a 6% increase from a year earlier, McAfee said. And the outlook for the remainder of the year is not very reassuring, considering what the hackers have in store." Full Article

Q: Should I Expect More Microsoft IIS 6 Vulnerabilities?

A: Predicting whether Microsoft IIS 6.0 has unexposed vulnerabilities or not is similar to trying to predict the future. Although any investor can tell you that past performance does not guarantee future results, so far IIS 6 has had a moderate track record. The ASP .Net authentication bypass (reported by Toby Beaumont of creator.co.uk), the MSASN1 vulnerabilities (reported by eEye), and the WebDAV XML denial-of-service (reported by Amit Klein of Sanctum) are the most notable vulnerabilities that affected IIS 6, although there have been cross-site scripting and information disclosure finds as well.

IIS 6.0 is obviously perceived as being a more secure product than its predecessors, mostly due to the relatively abundant, high-profile insecurities of IIS 4.0 and 5.0. Given the amount of resources Microsoft spent securing it; it would be a shame if this were not true. But we're not aware of any public, third-party security audits of IIS 6.0 having been performed, so it's uncertain whether the product has no vulnerabilities, or they're not being discovered and publicized. Perhaps too many security researchers find thoroughly auditing a web server, for free, to be too daunting of a task to undertake. Most of the IIS 4.0 and 5.0 vulnerabilities were due to security problems that are well-understood today by programmers and testers alike, and would be humiliating if seen in IIS 6.0, so a cursory "fuzz test" alone shouldn't turn up anything. Or perhaps IIS vulnerabilities became a dull topic following the lessons demonstrated by researchers in IIS 5.0. Following the release of Windows Server 2003, remote vulnerabilities in Windows itself took center stage -- DCOM, Messenger, RPC, MSASN1, Workstation, LSASS, and SMB -- and largely replaced remote IIS vulnerabilities as the most popular area of research.

In short, the answer to whether or not IIS 6.0 contains vulnerabilities is either "yes" or "maybe". Hopefully independent security researchers -- including eEye's -- will find the interest and motivation to thoroughly audit IIS 6.0 and in doing so, give its users a better idea of its security stature.

Have a question you would like answered? Send it to versa@eEye.com, and win an eEye t-shirt if we select your question for an upcoming newsletter.

Release: eEye Launches Free Retina WiFi Scanner to Address the Growing Business Concern of Wireless Network Security
eEye has announced the availability of Retina WiFi, a free network scanning utility that detects the presence of wireless devices located within the network or connected wirelessly to the network. This tool will detect rogue mobile devices and transmitting laptops, and with its advanced reporting capabilities, provide the means for businesses to assess their wireless security posture. Full Article

Announcement: eEye's Blink Selected as Finalist for the 2005 Codie Awards
Presented by the Software & Information Industry Association (SIIA), the Codie Awards celebrate achievement and vision in software, education technology and digital content. Blink is nominated in the category Best Enterprise Security Solution. SIIA members can cast their votes until April 30th. Full Article

Announcement: eEye's Retina and Blink Nominated for the WindowsITPro Readers' Choice Awards
Blink is nominated in the category 'Intrusion-Detection and Prevention Software', and Retina in the category 'Vulnerability Scanner'. Voting ends May 2nd, and the results will be published in the September issue of Windows IT Pro. Full Article

Webinar: Vulnerability Expert Forum
eEye Digital Security will be hosting special web seminars focusing on the recently announced critical vulnerabilities. Prospects, customers and partners are invited to participate in these discussions with eEye's vulnerability experts where we explore the impact high-risk vulnerabilities and exploits have on network environments and infrastructures. Our experts will provide in depth knowledge about these issues and the solutions eEye Digital Security provides to detect and protect against current and future critical security weaknesses. Full Article

Man Unearths MoD Secrets at Rubbish Dump
A Hampshire man has found sensitive Ministry of Defence plans on a laptop he was given at a rubbish dump. A subsequent investigation of the PC revealed "70 top-secret files" giving details of contingency plans at Army and Navy bases about what do in the event of a terrorist attack. More

Carjackers Wipe Biometric Merc, Plus Owner's Finger
A Malaysian businessman has lost a finger to car thieves impatient to get around his Mercedes' fingerprint security system. Accountant K Kumaran, the BBC reports, had at first been forced to start the S-class Merc, but when the carjackers wanted to start it again without having him along, they chopped off the end of his index finger with a machete. More

HOW TO SUBSCRIBE
To subscribe to this and other eEye newsletters, please visit: http://www.eeye.com/html/resources/newsletters/subscribe.html

FEEDBACK
The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to versa@eeye.com.

DISCLAIMER
The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

NOTICE
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email versa@eeye.com for permission.