Several years ago, when organizations of all types were connecting to the Internet in droves, hacking attacks became a commonplace occurrence. Intrusion Detection System (IDS) products, such as WheelGroup’s NetRanger (now owned by Cisco), showed promise by creating security alarms whenever they detected hackers trying to break into an organization’s network. By the late 1990s, there were several companies selling IDS; next to firewalls and antivirus software, IDS was the next “must have” security product.
The early adopters of Intrusion Detection Systems were a brave lot, and many of them paid dearly as they drowned in the sea of false positives. The sheer volume of alarms overwhelmed the departments trying to manage them. A small proportion of organizations were able to manage the deluge of false positives and tune them out. Others ran around crying wolf until they lost all their credibility and political capital; still others eventually gave up, unable to devote enough resources to tame the false positives-beast.
New Threats Infiltrate FirewallsBy the late 1990s, new threats were emerging that began to leverage the power and complexity of new Internet applications. Organizations added more and more functionality to their Web sites, increasing the complexity of information systems connected to the Internet. Hackers moved beyond the traditional methods of attacking operating systems and began attacking the applications themselves. Script kiddies had a rich selection of tools at their disposal that could find and exploit a growing number of vulnerabilities on any device or application connected to the Internet.
The attacks on applications came in many forms. One type was the sequence-number guessing attack, where a would-be intruder would experiment with the values in Web browser URLs in the hopes of stumbling onto another customer’s session. Another was the and SQL-injection attack, in which an individual would insert portions of SQL statements into Web forms in the hope of tricking the application into yielding some otherwise hidden information or performing some forbidden function. (Figure 1 shows how an attacker might attempt to change the logic of an SQL statement used to log a user into a Web site.)
 |
| This screen shot shows the values a hacker might enter into a form to try to get at hidden information or perform a forbidden function. |
|
|
These new kinds of attacks posed a difficult challenge for IT managers in the ’90s, for they had few defenses available. Firewalls were not designed to decode, understand and make pass-or-fail decisions about the content deep inside network packets. Intrusion Detection Systems could recognize some of these attacks, but since they were merely monitoring devices, they were powerless to stop them.
Blended Threats Increase the DangerSome of the worms, viruses and Trojan horses that we’ve seen lately attack in several ways at once. For instance, the Nimda worm, discovered on Sept. 18, 2001, propagated itself in five ways:
1
1. Visiting an affected Web site could infect visitors’ computers.
2. The virus propagated via e-mail and infected users’ computers if they opened the attachment.
3. Once it infected a system, it scanned the network, looking for a specific vulnerability in Microsoft IIS Web servers.
4. It attacked Microsoft IIS Web servers that were previously attacked by the Code Red worm.
5. It attacked Microsoft Windows systems that had file sharing turned on.
Nimda’s sophistication permitted it to spread rapidly around the world. It could propagate by any one of the mechanisms listed above, but since it had five ways of spreading, IT departments that were safe from Nimda had to have all five vulnerabilities fixed. A successful defense against Nimda took considerable effort.
There is no reason to expect that threats of the future will return to a single propagation method. Hackers have raised the bar.
The Pitfalls of Patch ManagementOne approach that has gotten a lot of traction in terms of reducing risk is that of fixing a site’s known vulnerabilities. If the known vulnerabilities in any given enterprise can be eliminated, the risk of an attack or compromise will be reduced significantly. Security efforts can be focused on the part of the enterprise that is most vulnerable—for instance, the Web servers and application servers that can be accessed from the Internet.
Vendors such as Microsoft, Hewlett-Packard and Sun Microsystems do a good job of issuing security patches when vulnerabilities in their products are found. Microsoft, HP and Sun inform their customers via mailing lists dedicated to notifications of software flaws and the patches required to fix them. Key personnel in enterprises subscribe to these lists and install patches on their systems in order to keep them safe.
There is but one flaw in this technique: System administrators (SAs) are oftentimes so overwhelmed by the sheer number of vulnerability notifications from vendors that they are unable to keep up. It is not uncommon for SAs to spend one-third to one-half of their time just on patch management. Frequently, patches must be installed manually, requiring reboots—not to mention regression testing that must be performed to ensure that a patch does not break any functionality.
Another critical aspect of the problem is knowing where specific versions of software components are running so that they can be identified and patched. In larger, complex environments, it may be difficult to know where the appropriate components are located. This adds a significant amount of time to the whole patch-management task.
It would seem that an inventory of all hardware and software components would solve But this is considerably more difficult and costly than it first appears, and may be covered in a future article.
Part of the problem is that SAs have not known which security patches need to be installed right away, which can wait until the next maintenance cycle, and which are irrelevant. Sure, with more people on the SA or Security Ops staff, this task could be handled. But in these lean times, few CIOs are able to justify additional headcount, even for security. Reallocation of resources has seen limited success, if that. Some wondered if the whole process of correlating threats and vulnerabilities could be automated.
Vulnerability Management SystemsVulnerability Management Systems is the name given to a new breed of applications that automates many parts of the patch-management process. Vulnerability Management Systems (VuMSes) work by performing two very different, but related, tasks. First, they scan or query systems for their detailed configurations and store the results for later analysis. Next, they also acquire threat, vulnerability and patch-availability information from the VuMS vendor’s home site.
Next, the VuMS correlates the installed-software configuration it collected from enterprise systems with the threat, vulnerability and patch availability information and develops a rank-ordered list of work that must be performed to minimize risk. Some of the more sophisticated VuMS products will e-mail the list of work to be done, in priority order, to the system administrators and database administrators, and even generate alarms if systems are not getting patched soon enough.
Two Vulnerability Management System products will be studied in more detail here.
ESO Advisor
Agented or Agentless?
ESO Advisor is an agented product, while Foundscan is agentless. It is difficult to say which is better.
More information is available from client systems in agented products, since agents can obtain virtually any information from the client system and send it to the server.
Agentless products, by contrast, must obtain all of their information through a port scan. Agentless software is easier to install, though, since no software needs to be installed on any client systems. |
The appliance-based product ESO Advisor comes from eSecurity Online LLP, the software products group of Ernst & Young LLP. ESO Advisor scans an organization’s systems and creates a report that lists all the known vulnerabilities on those systems and the patches that must be installed to fix them.
The appliance portion of the ESO Advisor product is a 1U rack-mounted server that attaches to the organization’s network. (See Figure 2.) It is managed via a Web browser using SSL-encrypted communication. The administrator managing the system tells it which systems in the enterprise are to be scanned and where reports are to be sent.
ESO Advisor utilizes agents, which are small software modules that are installed on each managed system. The server communicates with each agent, and the agent collects requested data and sends it back to the server. The agent knows how to collect specific information, such as operating-system version and configuration; which patches are installed; and the versions of installed software such as Web servers.
ESO Advisor supports Windows NT, XP and 2000; Solaris; HP-UX; AIX; and Red Hat Linux. Other operating system and network hardware platforms will be supported in the future.
ESO Advisor made its debut in January 2003. By April, 30 customers had already bought the product, according to John Guibileo, vice president of products and services for eSecurity Online. This is an impressive track record for a new product. Then again, it performs a vital service and adds value to the enterprise.
 |
| This server attaches to a network to scan an organization’s systems. The accompanying software is managed via a Web browser. |
|
|
FoundscanFoundscan is a software product developed by Foundstone Inc. that performs scans of selected systems in order to identify known vulnerabilities. Foundscan regularly updates its knowledge base of vulnerabilities and generates priority-ordered management reports and to-do lists.
An enterprise would install Foundscan on one of its Windows 2000 servers. It does not use agents, so there is nothing else to install. Tell Foundscan which IP addresses (or ranges of IP addresses) to scan, and it will perform “port scans” on the network to locate systems and identify vulnerabilities. Foundscan is also available in appliance and ASP versions.
 |
| Foundscan software by Foundstone Inc. will scan a range of IP addresses, seeking out vulnerabilities. |
|
|
Other Defenses
In a future column I will discuss another kind of defense: devices that examine the full content of messages being sent to Web servers. These devices can determine whether the queries and other content being sent to Web servers are legitimate — or are attacks. Network packets suspected of being attacks are simply dropped and never reach the Web server.
1 From
Blended Threats: Case Study and Countermeasures, a Symantec Corp. white paper.
Peter H. Gregory, CISA, CISSP, is the author of over a dozen books on security and technology, and the security strategist for a financial-services company in Seattle. He can be reached at petergregory@yahoo.com.
