Know Your Vulnerabilities

There's a wealth of data points to your top security vulnerabilities. These seven strategies help you tackle the biggest dangers.

Is your security plan working? A study suggests that whatever your company is doing right now, it probably isn't enough.

According to the "2002 Computer Crime and Security Survey," released by the Computer Security Institute (CSI)/Federal Bureau of Investigation (FBI) in April, 90 percent of the 503 respondents said they'd detected computer security breaches within the last 12 months, and 80 percent acknowledged a resulting financial loss. The 223 respondents who quantified their losses had a combined loss of $455.8 million. The CERT Coordination Center at Carnegie Mellon University also says that the number of security incidents—defined as involving one or more sites for an unspecified amount of time—is going up. (See "Security Incidents on the Rise.")

Security Incidents on the Rise Graph

Respondents report that they use a wealth of technologies to secure their networks. Clearly, more is needed. That's why, when creating a security plan for your company, experts espouse a risk-management-based approach to security planning.

Ideally, you allocate the most business resources to the business processes that are of greatest value. If, for instance, you're an online retailer, your top three security priorities are probably protecting your Web site, e-commerce engine and supply chain.

The problem with that thorough, top-down approach is that it's not enough. You still need to stay abreast of top vulnerabilities and tackle them, too.

From analyzing the survey data, there are a wealth of common vulnerabilities that most organizations share and can begin addressing.

Strategy #1: Parse Known Vulnerabilities
A recent report from real-time security monitoring firm Riptech Inc. (Alexandria, Va.) analyzed the firewall and intrusion detection system (IDS) logs of many of its customers. It found that Internet attacks rose by 64 percent in the year ending June 2002. But here's a surprise: For the first six months of 2002, 99.9 percent of attack scans were focused on only 20 services. (See "Top 20 Network Scan Attacks.") The vast majority of attacker reconnaissance is focused on relatively few entry points.

Top 20 Network Scan Attacks Chart

For starters, be sure you secure those 20 entry points. "If you want to throw resources at something, let's throw resources at fixing known problems," says Dale "Chip" Dahlstrom, Chief Security Officer for SecureInfo Corp. in San Antonio, Texas, a security software, services and training company. "They're so often the ones that people don't fix." That helps explain why 40 percent of the CSI/FBI survey respondents reported system penetrations, the same percentage as last year.

Known vulnerabilities are especially dangerous because of the prevalence of free "toolkits." Unfortunately, a toolkit that's valuable for a system administrator can also be used by a cracker checking public facing ports to try and find one that's unsecured against a known vulnerability. Unfortunately, little programming knowledge is needed to use toolkits.

Strategy #2: Create an Accurate Baseline
Known vulnerabilities are only useful if you're constantly aware of exactly what's on your constantly changing network. Users still open virus files attached to their e-mail, creating security breaches. Departments sometimes install their own WiFi access points (for 802.11b wireless

networking) or servers such as Microsoft Internet Information Server (IIS), leaving the insecure default settings and thus punching a big hole in the network.

The "FightBack" program at security site DShield.org informs some organizations when their machines have been used to attack other machines. Witness one recent response from late July 2002: "It's solved now. An idiot just installed a W[indows]2000 machine without protection on that IP address. We've disconnected the machine." No surprise, then, that IDC predicts that the market for Web intrusion protection products and services will increase from $65 million in 2002 to almost $700 million by 2006, at least partially to arrest the mess users keep creating.

To combat rogue installations, companies should first create a baseline—a list of what hardware and software is actually connected to the network. Baselines let companies use a real, not presumed, list of systems in use when checking against known vulnerabilities and verifying that security and privacy policies are being followed.

One baseline creation tool is WebXM from Watchfire Corp. in Kanata, Ontario, which analyzes a company's network at the browser level. "Our customers include half of the Fortune 500, and some have Web sites that are as large as 10 million pages and are spread over as many as 1,550 different Web sites," says Michael Weider, company founder and chairman. WebXM, priced beginning at $25,000, can spot things on a site that aren't supposed to be there. For instance, it looks for Java applets, active server pages, Microsoft FrontPage extensions with known vulnerabilities, CGI scripts, unknown and insecure Web servers, and more.

The tool also analyzes how information is collected across the site, for instance, through the GET or POST methods. "There are some issues with the use of the GET method to push data back from the form to the database; it could allow for data spillage," says Weider, which occurs when the information is relayed via the actual URL string. For instance, if a bank Web site uses a customer's actual account number in the URL string, the number can be found in the Web log.

Watchfire also helps discern whether privacy policies are actually being followed. Companies that don't obey their own privacy policies can be sued, even if the violation was unintentional. For instance, if a third-party banner advertisement on the site uses Web "beacons" to track customers across multiple sites, that's a privacy no-no because it lets marketers gather potentially sensitive information. The same goes for tracking cookies. In October 2001, Toys "R" Us Inc. was sued for using JavaScript cookies to access user information. The toy seller won the decision, but the court did rule that using cookies could constitute inappropriate access to someone's computer.

Strategy #3: Watch for Wireless
When creating a baseline, companies should also invest in wireless networking equipment to look for unauthorized wireless deployments. "The WiFi networks are a place where a lot of problems are going to crop up and a lot of people are going to be sensitized to the need for security," says Jonathan Eunice, principal analyst and IT advisor for research firm Illuminata Inc. in Nashua, N.H. Unfortunately, the same thing that makes WiFi attractive to do-it-yourself employees—its low cost and easy deployment—also makes it a starting point for attackers. "For less than $89, you can get the card that lets you crack in—it doesn't even require expertise. "For $100 to $200, you can get an antenna that will let you hack in from miles away."

Strategy #4: Track Baseline Changes
Companies must keep abreast of changes in their baseline, and threats to that baseline, including new security holes, patches and upgrades. However, you could spend all of your time just running baseline updates, wading through voluminous security alerts and newsgroup postings, struggling to find what's real and applicable to your environment. Who has time to implement and test all necessary fixes?

There's hope: Subscribe to a Web-based security information delivery service (see "Security Intelligence Services."). Simply put, these services distill all known vulnerabilities and present them clearly to a security administrator. "A customer will set up a profile that matches their architecture, and from then on we give them vulnerability information, and can notify them by e-mail or pager when there's an important vulnerability notice," says Dahlstrom. The services often contain workflow tools and tools for walking companies through the development of plans, policies and required documentation, a feature especially useful for companies that must comply with financial or medical security regulations such as Gramm-Leach-Bliley and HIPAA.

Strategy #5: Get Executive Buy-In
Dealing with known vulnerabilities is difficult, however, without license to defend the site as a whole. "I come from the school of ‘You need to do everything, and you need to do it now,' and there are many different problems that you need to do at the same time. [Companies] need to have a much more corporate view of how they're doing security, and that would allow them to put together a plan to attack the most common problems," says Dahlstrom.

Too many companies don't have one person with clout in charge of the entire security operation, and that's a problem. That's why more companies are creating the executive-level position of Chief Security Officer (CSO) to handle enterprisewide security. "The biggest thing is to get that corporate view of what's going on, then senior management can decide what those [security] priorities are going to be," Dahlstrom says.

Strategy #6: Educate Your Users
Everyone should know by now not to open such things as the Nimda worm, yet 223 of the CSI/FBI survey respondents lost a total of almost $50 million to virus attacks. A January 2002 study from research firm Computer Economics estimated that malicious code accounted for $13.2 billion in losses for all companies worldwide, with two of the largest contributors being the user-unleashed worms SirCam and Nimda.

Evidently people haven't gotten the message.

Security isn't fundamentally about technology. "It's the people and the processes that we put in place. Yes, out-of-the-box solutions are a part of that; but they're not the end-all. It's training and education, policies and procedures. It all goes back to the basics of security," says Dahlstrom.

Educate your users, perhaps by bringing in a security training team.

Strategy #7: Make Developers Security-Happy
Whether you're building products for sale or internal use, another vulnerability is not giving developers the time, mandate and know-how to build in security from the beginning of the development cycle. "A lot of the problems that we're dealing with today are because the people who are the developers and the integrators do not understand what the goal is for security," says Dahlstrom.

In February, Bill Gates, stressing the importance of security, halted all operating system development to better train 7,000 Microsoft developers in security. Whether or not that move, estimated to cost over $100 million, will radically improve security in future Microsoft products remains to be seen, but it's a great step in the right direction.

Developers will have a learning curve, though. "It actually takes a lot more work [to build secure products]. If you look at universities, there are almost zero courses on secure programming, and the ones that have popped up have only popped up recently," notes Stuart McClure, president and CTO of Foundstone Inc., of Mission Viejo, Calif., a high-end vulnerability-assessment and network-scanning services company.

Getting Started
Following the seven strategies I've outlined is a good way to start honing your security plan. Also be sure to check out other survey results at www.gocsi.com/press/20020407.html for more industry-specific trends. Don't become a security-victim statistic.

Studying the Study

Do security survey results mirror reality? That's hard to gauge because companies are so secretive. The CSI/FBI study reported that though 90 percent of respondents suffered attacks, only one-third of them reported the attacks to law enforcement. Many experts caution that the results are hardly conclusive.

However, experts say that having any numbers is a start because they raise awareness levels. "[The CSI/FBI survey] is one of the top two or three surveys that come out each year that talk about the risk and really give the frontline folks ammunition to go back to their executives and the folks signing the checks," says Foundstones's McClure.

That's valuable, as one of the biggest security problems is simply apathy. "It takes some bad experiences, maybe close at hand, to get people to think. It's like backup and restore—people who have had the most major losses are the best at backup," says Illuminata's Eunice. "It's become personal."

Some survey responses, however, raise concern with overall survey accuracy. For one thing, the CSI/FBI survey, compiled from the responses of a self-selected group of 503 respondents from large, U.S. companies, contends that firewall use has gone down. "Either people are getting pretty lazy or a little too comfortable in that corner office chair. It went from 95 percent in 2000 down to 89 percent this year. That's concerning," says McClure.

How clear a view of reality the reports provide is unknown. The data also leaves many questions unanswered. For instance, the CSI/FBI study reports that anti-virus software use has also gone down. "[That] is suspect. I'm wondering more about how they actually did the survey, who they sent the surveys out to, and if those individuals really knew all the answers for their entire corporation. If they don't have a firewall, I'm sure they have something else that's filtering. People that don't have anti-virus software—I have to imagine that their network has some way of filtering malicious logic. Those are basic security management tools that we've got to have out there today," says SecureInfo's Dahlstrom.

CSI was not available for comment at press time.

The survey also reports statistically what respondents can't accurately judge, such as the threat of insider attacks. "I don't think that they can properly quantify that risk, because most organizations are not even measuring for that kind of risk today. They don't have the tools, audit team, time or effort needed to prevent those kinds of attacks," notes Dahlstrom. "That's a problem that I don't think this report addresses. Again, [respondents] are only reporting on what they detected; I'm more worried about the rest of the stuff that's going on, that they're not detecting," he adds.

The CSI/FBI "security technologies used" numbers can also be misleading, says Dahlstrom, because many people don't correctly use what they have. "Most organizations, if you asked them, ‘Do you have a security policy?' they'd say yes, but if you looked at it, it would be the front and back of a single piece of paper," he warns. Real security policies are much longer; a comprehensive one has to be.

Also, the CSI report didn't ask whether organizations practiced change management—a systematic approach to tracking all system details, such as patches and upgrades. "I was very disappointed that they didn't even talk about that," says Dahlstrom. "I tell our classes, if you're not willing to do change and configuration management, you're not doing security."

—M.S.