Schneier on Security
A blog covering security and security technology.
« Security in Ten Years |
| How to Secure Your Computer, Disks, and Portable Drives »
December 3, 2007
SANS Top 20
Every year SANS publishes a list of the 20 most important vulnerabilities. It's always a great list, and this year is no different:
The threat landscape is very dynamic, which in turn makes it necessary to adopt newer security measures. Just over the last year, the kinds of vulnerabilities that are being exploited are very different from the ones being exploited in the past. Here are some observations:
- Operating systems have fewer vulnerabilities that can lead to massive Internet worms. For instance, during 2002-2005, Microsoft Windows worms like Blaster, Nachi, Sasser and Zotob infected a large number of systems on the Internet. There have not been any new large-scale worms targeting Windows services since 2005. On the other hand, vulnerabilities found anti-virus, backup or other application software, can result in worms. Most notable was the worm exploiting the Symantec anti-virus buffer overflow flaw last year.
- We have seen significant growth in the number of client-side vulnerabilities, including vulnerabilities in browsers, in office software, in media players and in other desktop applications. These vulnerabilities are being discovered on multiple operating systems and are being massively exploited in the wild, often to drive recruitment for botnets.
- Users who are allowed by their employers to browse the Internet have become a source of major security risk for their organizations. A few years back securing servers and services was seen as the primary task for securing an organization. Today it is equally important, perhaps even more important, to prevent users having their computers compromised via malicious web pages or other client-targeting attacks.
- Web application vulnerabilities in open-source as well as custom-built applications account for almost half the total number of vulnerabilities being discovered in the past year. These vulnerabilities are being exploited widely to convert trusted web sites into malicious servers serving client-side exploits and phishing scams.
- The default configurations for many operating systems and services continue to be weak and continue to include default passwords. As a result, many systems have been compromised via dictionary and brute-force password guessing attacks in 2007!
- Attackers are finding more creative ways to obtain sensitive data from organizations. Therefore, it is now critical to check the nature of any data leaving an organization's boundary.
Much, much more information at the link.
Posted on December 3, 2007 at 3:12 PM
• 10 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Last point clarified for anyone in HMG:
'No copying millions of peoples private information to a DVD.'
I wish the article would differentiate between "Operating systems" and "Microsoft Operating systems" when they make sweeping statements on trends, e.g.:
"""These vulnerabilities are being discovered on multiple operating systems and are being massively exploited in the wild, often to drive recruitment for botnets."""
Has anyone every heard of a non-Microsoft-Windows botnet?
I also don't get the distinction between "Open Source" and "Custom build" applications. Software can be either, neither or both.
Sometimes SANS reports are as brilliant and insightful as Gartner ones.
AC writes "Has anyone every heard of a non-Microsoft-Windows botnet?"
Well, Agobot is cross-platform. And there are a number of botnets built from compromised Linux machines, primarily 0wn3d through SSH brute-force tools.
Solaris is also a popular botnet target, and to a lesser extent, FreeBSD.
"Well, Agobot is cross-platform"
I thought that the original was cross-platform, but that the yield on non-Windows machines was so small the later variants became Windows-only. Or am I confusing that with another botnet?
Your comment about passwords,
"The default configurations for many operating systems and services continue to be weak and continue to include default passwords. As a result, many systems have been compromised via dictionary and brute-force password guessing attacks in 2007!"
You did not mention the "new vector" for password attacks,
Which is harvest passwords from on line third party systems with weak security, that users of a more secure system are known to access. Then try the passwords or their structure against the more secure system.
I.e. you know that Jeniffer Parsons is the PA to the MD of MegaCorp Investments.
1) You know that the general format for a login at Mega is the first name initial appended to the surname.
2) You also know that the general structure of the email addresses at Mega are Fname.Lname@mega.com
3) So you Google around and low and behold you find she has posted on a small social site advertising a pair of size six red court shoes.
4) After a quick check with an exploit tool you get hold of a file with her hashed/encrypted password for the social site in it.
4) You google the hash or check it on a rainbow table site to get the plain text.
5) You try loging in with what you have found.
Due to "Human Nature" a lot of people use the same password on many systems or one passed on fairly obvious modifications to a root.
The result is likely that you will get into Mega Corps system fairly easily or to her on line bank account etc.
In response to the password issue, I think it's clear that passwords must go. They're simply not good method of authentication anymore. The requirements to make them strong also make them difficult for users to remember. Alternative methods for user authentication (biometrics, tokens, smart cards, etc.) have to start being employed.
"Web application vulnerabilities in open-source as well as custom-built applications account for almost half the total number of vulnerabilities being discovered in the past year."
I'm feeling as though this is an obligatory gibe at something other than MegaSoft. I would imagine that the *majority of vulnerabilities being discovered *would be found in OSS and the like, primarily because we're allowed to endless amounts of peer review across a large amount of varying levels of experience and expertise. What also seems likely is that these vulnerabilities (if announced) were likely rectified far quicker than any found in closed source applications (although this is a bit of a sweeping generalization).
Of course that may just be my own bias rhetoric, but I do know this: my department would rather pay 100,000 / year for some garbage, patchwork of an application (and trust me, that is 1st hand experience talking now, no bias needed) rather than install an open source application that is tried and true over years of open peer review... for free, and things like this statement above only perpetuate the FUD they already have regarding OSS, which I think is incredibly unfounded.
Shane - excellent comments. This is about SANS making money off of Tippingpoint, and Tippingpoint getting press to make leads to sell product. This is about SANS.org - the FOR PROFIT company - increasing Paller's wealth.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.