Vulnerabilities – the heart of the matter
In the eighth of his weekly series for Cambridge Network members, BS7799 and IT governance expert Alan Calder explains the ABCs of business security and compliance. This week he looks at vulnerabilities.
The Problem
Much commercial off-the-shelf software (“COTS software”) is riddled with holes. The same is true of open source software (Linux, UNIX) and of many proprietary software systems (eg. mobile telephones, Symbian). Some of the holes are put there quite deliberately (they’re called “backdoors” or “covert channels” in the jargon) – but not always maliciously.
Most of the holes are there because of the intersection of two forces: the software developers’ drive for ever more sophisticated, more complex software delivered to a commercially hyped deadline (creating what you might call the “known unknowns”), and the rampant individualism of the vast numbers of users who deploy the software to do things it may not have been designed to do (producing what you might call the “unknown unknowns”).
Holes – particularly in operating systems such as Windows and in browsers such as Internet Explorer or Firefox – are technically known as vulnerabilities: weaknesses in our software that malicious third parties can exploit to attack our computer systems, steal our data, destroy our businesses.
The Risks
There is an army of researchers, coders and “ethical hackers” who uncover new vulnerabilities every day. The vulnerabilities are usually posted on Bugtraq (www.securityfocus.com/archieve/1), which is a free-to-all database. Some 50 new vulnerabilities, across all software systems, are posted in a typical three day period. CVE (www.cve.mitre.org) attempts to give common names to vulnerabilities and anyone can search or download its entire database (currently carrying 8,785 named vulnerabilities) for free. Microsoft vulnerabilities make the news simply because it is deployed on so many computer systems: the fact is that all software has multiple vulnerabilities. And, as soon as a vulnerability is posted, the race between software developer and attacker starts.
Attackers are opportunistic. They exploit the most common vulnerabilities, in the most widely used systems. The consensus-built SANS top 20 (www.sans.org/top20/) identifies the 10 most commonly exploited Microsoft vulnerabilities and the 10 most commonly exploited UNIX and Linux vulnerabilities. The list is updated regularly and represents the flaws that require immediate remediation by anyone using the flawed systems.
For those vulnerabilities that are worth exploiting, the time gap between posting of a new flaw and the arrival of the first exploit (demonstrable method – virus, worm, Trojan, hack - of exploiting the vulnerability) has got shorter and shorter. We are now very close to zero-day exploits – exploits that are released within zero days of the vulnerability being announced.
Virus writers, spammers and hackers are increasingly co-operating to exploit vulnerabilities – the objective is to get more spam into our e-mail boxes and to shift data theft to a more industrial scale.
The Impacts
Without vulnerabilities, there would be neither viruses nor hackers. Viruses, worms, Trojans and many hacking exploits are completely autonomous – they are “in the wild” and indiscriminately attack any unguarded system – irrespective of its size, importance or value. “Always on” systems are at more risk than dial-up connections, simply because a static IP address is more interesting and easier to attach than a varying one.
Any unpatched and unguarded system (particularly if permanently connected to the Internet) is, therefore, threatened with potential corruption, destruction, theft of data or denial of service.
What do we do about it?
The single most important thing for any organization – or computer user – is to patch vulnerabilities. This means ensuring that automatic updating/patching is enabled for every computer system and, where you have a number of (more complex) systems, that updates are tested and deployed quickly.
The second most important step is to guard computer systems with a combination of a DAILY UPDATING anti-malware product and an effective firewall.
What else?
Wireless computers, mobile phones and PDAs all have software, so they all have potential vulnerabilities and must be included in your patching and protection strategy.
Next week: Endpoint security
Alan Calder’s company provides businesses with consultancy support and advice on governance and information security. Visit www.itgovernance.co.uk/page.service, e-mail alan@itgovernance.co.uk or telephone + 44 845 070 1750