Building Up System Defenses
Print Issue: January 2004
Imagine that to secure your home, it wasn’t enough to merely lock the doors and windows. Imagine that each day, criminals could find ten new ways to get in, and even though you might be quickly overwhelmed with trying to plug each of those holes while still attending to your regular job, missing even one opening could leave your house and your belongings at the mercy of an attacker.
Pity, then, the system administrator, who is faced with this scenario daily. In the first six months of 2003, nearly 2,000 new vulnerabilities—computer software or hardware weaknesses that can be exploited to carry out a cyberattack—were reported to the government-backed CERT/Coordination Center. And the trend is upward; by comparison, there were only some 2,500 total vulnerabilities reported in all of 2000 and 2001.
The first step toward eliminating these vulnerabilities is understanding the classes of vulnerabilities and the dangers they pose. The next step is to understand the assessment tools that offer ways to detect vulnerabilities. The final step is, of course, to find solutions to the problems uncovered.
Classes of vulnerabilities. Despite the attention given to vulnerabilities within software products, these “bugs” that create opportunities hackers can then exploit represent only 20 to 30 percent of the exposures that can threaten a network. Many other weaknesses arise in areas that are under the control of the system administrator and can be corrected fairly easily once they have been identified. Examples include unsecured accounts, the presence of backdoors, applications running unnecessary services, and misconfigurations.
Software defects. Modern software products are extraordinarily complex and often consist of tens of millions of lines of code. It is inevitable then that some code will contain defects that, if discovered, could be exploited for malicious purposes. One of the most common examples of a defect is the buffer overflow, in which a program can’t deal with more data than a particular field was intended to handle. If an attacker uses an exploit that sends data in excess of that amount, the field overflows, overwriting the program’s code and forcing the machine to run the attacker’s own code. The recent Blaster worm, for example, targeted a well-known buffer overflow vulnerability in a component of Microsoft Windows.
Software defects can only be completely resolved through a patch or upgrade issued by the software vendor; however, there are frequently workarounds to these defects, such as removing a software component that is not necessary, denying access to the communication port that the defect makes vulnerable at company boundaries, or using other steps that may be specified by the software vendor.
Accounts. There are often user accounts on a network that are dormant, possess unnecessary privileges, or are protected with weak passwords. These types of accounts are easy marks for hackers who can use them as jumping-off points to compromise a system.
Dormant accounts and those with incorrect privileges and rights are often the result of a lack of communication between the human resources and IT departments; for example, an employee may be terminated or may change positions without the knowledge of IT, and thus an account remains active that should be eliminated or given different rights. Weak passwords frequently arise when no password policy is in place or when the existing policy is not enforced.
Backdoors. Back Orifice, SubSeven, and NetBus are examples of backdoors—illicit programs that allow remote access to and control of a computer. These hacker programs are typically installed unknowingly by users who believe they are downloading other software applications, or they are installed by hackers who have already compromised the system at a root level. Backdoor programs, which often lie hidden in networks for long periods of time, can be detected using antivirus and vulnerability assessment tools, although the cleanup process can be time consuming.
Unnecessary services. Many system administrators install applications or operating systems with default options, frequently because these default installations are the most flexible and usable configurations. However, they are also often highly vulnerable because each unnecessary service or application on a system can open an insecure connection to the Internet through a port. These ports are like doors on a house: The more doors that are unlocked, the harder the house is to secure.
Shutting down these unnecessary services reduces the overall attack surface of the device and thus helps harden the network against attack. Unnecessary services might include Telnet (an infrequently used service that provides a way to access a computer remotely) and default Web service applications (such as Web server software that exists on a computer by default even though it is not being used as a Web server). Once discovered through a vulnerability assessment, those services that are not required can and should be disabled.
Misconfigurations. Other vulnerabilities can arise from applications that have been improperly installed or incorrectly configured. One of the exposures that can arise from these incorrect installations is unrestricted user access to sensitive applications. Another example arises from sample applications left on Web servers (these include administration tools with examples of how to program the server; in some cases, these example applications have known defaults that can be exploited). These accounts are an easy target for hackers.
Assessment tools. Before any of these defects can be addressed or even located, it’s necessary to perform regular network assessments to determine current exposures and risks. Assessments can be done by in-house staff using automated tools or by a consulting company.
There are many free vulnerability assessment tools that a system administrator can download and use to determine where remedies are needed (though in some cases a free tool may have a connection to a remediation product that is not free). Many security companies also offer for-fee products and services that help organizations to audit their networks. Note, however, that in many cases these tools search for only some of the vulnerabilities mentioned previously.
Nessus. Nessus is an open-source scanner that runs on the Linux operating system and can scan various devices on the network to see whether these devices are vulnerable to exploitation. This software program can check for many types of problems, including backdoors, accounts set up using insecure defaults, common software holes, and a host of what it calls “useless services.” Since it is open source, it is free, but it does require regular support and a high degree of expertise to maintain; its operation may, therefore, be beyond the scope of some organizations.
Networks with thousands or tens of thousands of devices to be scanned frequently use more than one Nessus scanner to expedite the process. To make scanning easier, some large organizations purchase Tenable Network Security’s Lightning Proxy product to manage multiple Nessus scanners; it also provides vulnerability reports and aggregates intrusion-detection-system events.
MBSA. Another free tool is the Microsoft Baseline Security Analyzer (MBSA), which scans Windows-based computers looking for a host of common vulnerabilities, including common operating-system misconfigurations. It also reviews password policy and rights assignments. Its Systems Management Server (SMS) Support feature scans for missing security updates on installed Microsoft products and reports on these so that a system administrator can, directly through the SMS, download the latest Windows updates from Microsoft.
Nmap. Every computer has more than 65,000 ports. While to some people this may sound like an absurdly high number, because of the multitude of services available to a computer, from sending and receiving e-mail to using newsgroups to networking with other computers, it’s necessary for such a large number to exist (not all are assigned, providing yet-to-be-written applications with open ports). Only a handful are regularly used; only those few ports should be left open. Unused ports that remain open can allow unauthorized (and frequently unnoticed) access to critical networks.
Nmap (Network Mapper) is an open-source network discovery tool that looks for these open ports. It scans the network to determine what devices are attached to the network, what services they are offering (and thus which ports are open), and what operating system (and version) they are running. Nmap can run on most types of operating systems, including Windows, Linux, and Mac OS.
Commercial tools. Several commercial tools also check networks for vulnerabilities. These include eEye Digital Security’s Retina; FoundStone’s FoundScan; ISS’s Internet Scanner; Vigilante’s SecureScan solutions; and Harris Corporation’s STAT scanner. These tools accomplish their tasks in different ways and have different purposes.
For example, the STAT scanner doesn’t look at vulnerabilities from the outside in; rather, it requires insider privileges to run, and with those privileges, it can do a deeper inspection. This type of tool is particularly useful for organizations that have a large number of workstations in need of being assessed. Organizations that want to do perimeter-based scanning to see what an outside attacker without any rights will see can use a tool such as FoundScan that does not require insider privileges. Many organizations choose a combination of tools to get both the insider and outsider perspectives.
Remediation. Finding the holes is important. But plugging them is what counts. Ironically, companies often stop before they get to this last step. They perform an assessment to identify problems but become overwhelmed by the sheer volume of information generated and don’t know what to tackle and in what order. For example, a typical scan of various computer systems yields approximately 100 vulnerabilities per host in environments where regular scanning and remediation are not practiced. In an environment of 1,000 computers, that equates to 100,000 vulnerabilities.
The average scan report detailing the vulnerabilities on those systems would be more than 33,000 pages long. Clearly, responding to that volume of vulnerabilities would be a daunting task. The key is to use tools that make the task more manageable.
Just as there are different types of vulnerabilities, there are different types of solutions that cover some or all of the remediation efforts for each class of vulnerabilities. These solutions, which can be administered in-house or outsourced, include patch-management tools, configuration-management solutions, and automated vulnerability-remediation solutions. Costs and results vary depending on the size of the organization and the number of vulnerabilities present.
Some companies retain full-time employees to respond to vulnerabilities that are discovered. These employees are typically assigned a section of the assessment report and work on vulnerable systems on a daily basis to resolve the issues. Companies that choose the in-house method of remediation generally have sufficient technically skilled resources to address these vulnerabilities. This is typically a smaller organization, with a homogeneous environment (such as a Windows-only environment). If the organization has fewer than 30 total devices (including servers and workstations), the in-house approach could be a suitable option.
Patch management. Patch-management solutions only address the portion of vulnerabilities that can be resolved by installing patches and software updates (which, as mentioned previously, are only a fraction of the total weaknesses that threaten networks). Many commercial tools exist to facilitate patch management, including Patch Manager from Ecora Software, PatchLink from PatchLink Corporation, and Update EXPERT from St. Bernard Software. These products all work in basically the same way; they regularly scan the network to detect unpatched machines and then download the necessary patches, which are then deployed either automatically or with the oversight of an administrator.
Configuration management. Configuration-management solutions address the portion of vulnerabilities that can be resolved by changing the configuration of the computers on a network. This includes ensuring that Web servers, desktops, and application servers are properly configured. Proper configuration may necessitate changing Windows registry values, confirming proper access controls to shared resources, and removing unnecessary components. Products that report on configuration and perform configuration-management functions include Configuresoft and Microsoft’s SMS, both of which are aimed at Windows machines.
The use of these management tools requires an organization to have a comprehensive change-control process in place. Change control is the process of considering necessary changes (in this case, to the IT infrastructure) before making them and recording the changes made for accountability purposes (and so that they can be easily reversed if necessary).
Many larger organizations have testbeds in place, comprising a representative system—a composite of what is actually in their network environment. Patch and configuration tools should first be run against this testbed so that any harmful reaction can be noted and fixed before the tools are set against the real environment. Smaller organizations typically don’t have the luxury of testbeds; however, if they have a standard platform (such as Windows), they can often choose an existing system (often within the IT department) to test a particular patch or remediation, and any negative effects can be noted before being rolled out to the rest of the network. Many organizations choose to do this after hours or on weekends to minimize the risk of downtime should there be problems.
AVR. Commercial automated vulnerability-remediation (AVR) solutions integrate with vulnerability-assessment tools such as those mentioned previously to scan for all types of vulnerabilities. Results are mapped with remediation advice, allowing the user to deploy those fixes, whether a patch, configuration change, or permission issue.
These solutions are expensive and tend to be most cost-effective for organizations needing to secure more than 100 devices or those securing devices on multiple platforms. In these cases, the time and cost savings often justify the larger expense of this type of solution.
For example, one healthcare facility with 75 servers and a limited IT staff was performing manual remediation of its system. After resolving the vulnerabilities on a single server, staff members estimated that it would take five or six months to remediate all servers, at current resource levels (during which time other vulnerabilities were bound to appear). They decided to implement a commercial AVR solution called Hercules (made by the author’s company) and were able to remediate all 75 of the system’s servers in less than three days.
Outsourcing. Some businesses choose to outsource their vulnerability-remediation efforts to a managed security services provider. Scanning and remediation have typically been done on a quarterly or annual basis by these businesses. However, many outsourcing companies have added emergency response teams to their offerings to address new vulnerabilities as soon as they are discovered.
Outsource providers generally offer a full-service option for vulnerability assessment and remediation; that is, the outsource company provides periodic assessments using some of the vulnerability assessment tools mentioned. It sends in a team of people as necessary to resolve vulnerabilities found during assessments.
The service provider may also maintain service-level agreements (SLAs) related to securing the network. Although outsourcing can be extraordinarily expensive, large organizations may be able to roll these services into existing IT-management contracts with their current outsource providers. Any organization that outsources this security function should carefully review the SLA to ensure that it adequately addresses the specific security risks within the organization. Most critical is the guaranteed response time for the contractor to resolve vulnerabilities.
Organizational clash. In dealing with network security, there is an additional challenge that many organizations face: the question of system ownership and responsibilities. Most large organizations maintain separate security and IT departments. The security team audits and assesses the security posture of the network, and the IT department maintains it and implements security changes. However, IT staff most likely cannot make sweeping changes without going through proper change-control procedures and getting authorization from business units or system owners.
Thus, the task of risk mitigation does not fall only on the IT or security department’s shoulders; the entire organization must participate for the security of the network to be complete. But system owners do not usually concern themselves with security and often resist remediation efforts. For example, many system owners were reluctant to install a recent patch aimed at fixing a buffer overflow in SQL database servers, fearing downtime or loss of business if the patch caused undesirable results.
This allowed the Slammer worm to exploit the buffer overflow through a port used by SQL servers. Many Slammer infections could have been prevented if the organizations not using SQL had closed this port on the firewall or had installed the patch that was long available. (Antivirus programs were not effective in stopping Slammer for several reasons. Infected packets were delivered directly into the SQL program’s memory through the open port and thus bypassed the antivirus features; also, Slammer, unlike typical malicious code, didn’t write to the hard disk of the computer, making it hard for antivirus solutions to detect. However, some antivirus companies came out with specialized tools to detect and remove Slammer.)
Resolving this organizational shortcoming is not easy. Business-unit managers must be convinced that it’s better to plan some downtime for critical systems in need of a patch than to take a chance that these unpatched systems will be affected by a new variety of malicious code that slides through the firewall and past antivirus devices.
One option is for top management to establish a chain of command where business-unit owners are answerable to the IT and security departments on these issues. In organizations that take a more laissez-faire approach, painful lessons will ultimately alter business attitudes. For example, many financial services organizations were hit hard by the Slammer worm because they were reluctant to plan downtime to harden their systems; since then, the culture seems to be changing for the better. But smart companies will not wait to be burned before they establish and implement good policies.
Carl E. Banzhof is chief technology officer of Citadel Security Software, Inc.