Title: Vulnerabilities and Threats: The Past, Present and Future
1Vulnerabilities and Threats The Past, Present
and Future
- Mike Murray - Director of Vulnerability Research
- March 29, 2006
2Intro
- The Past Pen-Testing and Vulnerability
Assessment - The Present Vulnerability Management
- The Future
- Disclaimers
- Information Technology Focused
- Vendor Neutral
- Objectives
- Present information to help you understand your
information security strategy today and tomorrow
3The Birth of Vulnerability Assessment
4The Birth of Vulnerability Assessment
5Security Configuration Weaknesses
- The Earliest Discovery
- Exploits mostly human weakness in setting up
operating systems - Simple class of attacks
- Exploiting access control failures
- Improper Directory permissions
- Unrestricted access to servers
- Failures in trust relationships
- Grabbing password files
- Incorrect program behavior
- Debug Interfaces
- Attackers were unsophisticated
6The Buffer Overflow
- Phrack 49 - November 8, 1996.
- Aleph1 - Smashing the Stack for Fun and Profit
- The first real sophisticated vulnerabilities
start to emerge - A buffer overflow required knowledge of assembly
and coding skill - Hackers now had to be more technical
- Readily available exploit code actually makes
breaking in to computers easier - The golden age of server hacking begins.
7Past Vulnerability Assessment
8The Birth of Vulnerability Management (agent-less)
Lightning Console/Nessus
2004
9The Birth of Vulnerability Management (agent-less)
Lightning Console/Nessus
2004
Buffer Overflows Increase Sophistication
New Attack Vectors emerge
10Memory Attack Sophistication
- Buffer overflows become more sophisticated
- Polymorphic shell-code
- More advanced use of memory spaces
- Design to evade detective controls
- Other memory-based attacks
- Format String attacks
- Integer Overflow attacks
11New Attack Vectors Emerge
- Web-based applications become a target
- As web-apps become common, researchers target web
apps - SQL Injection, XSS, access control breaches
- Data driven attacks
- Begin to see browser attacks
- Internet Explorer proves vulnerable
12From the Past to the Present
13From the Past to the Present
14From the Past to the Present
15From the Past to the Present
16From the Past to the Present
17From the Past to the Present
18From the Past to the Present
19From the Past to the Present
20From the Past to the Present
21From the Past to the Present
22From the Past to the Present
23From the Past to the Present
24The Present
nTellect Product
SIH Product
2005
2007
2006
Client Side Attacks Are Key
Human attacks increase
25Client-side attacks
- Microsoft hardens their operating systems
- As massive server-based vulnerabilities
disappear, client interaction becomes key - We see the majority of issues affect the client
- Major exploits require user-interaction
- Email
- Web-page viewing
- Opening of attachments
26Human Weakness
- Attacks rely on social engineering
- Phishing
- Spyware/Adware/bot installations
- Exploiting by providing value
- We have come full-circle
- Humans are, in general, weaker than computers.
27Present Vulnerability Management
- Gartners "grand unified theory of security," has
defined Vulnerability Management as one of four
high-level security processes that are key to the
effectiveness and efficiency of enterprise
security.
28Creating a Balanced Security Ecosystem
29Measure, Manage, Reduce Risk
- Obstacles
- Enumeration of Vulnerabilities is an insufficient
set - The consumer of this information is no longer the
security geeks - Risk related information is fragmented and out of
sync - Requirements for the future
- Risk related Intelligence that allows for proper
preemptive, preventive, and protective actions to
be taken. - Risk related Intelligence integrated with both
other technologies and the processes of the
enterprise - Risk related Intelligence that drives the
decision-making ability of the business - Less is more
30Managing Risk Across the Enterprise
Ira Winkler Dan Ryan
31Definitions
- Vulnerability \VulnerabilIty\, n.
- The quality or state of being vulnerable
- Threat \thret\, n.
- Intelligence of something that is a source of
danger - Countermeasures \Countermeasure\, n.
- an action taken to offset another action
- Valuation \Valuation\, n.
- the act of estimating value or worth the value
set upon a thing
32From the Present to the Future
33From the Present to the Future
34From the Present to the Future
35From the Present to the Future
36From the Present to the Future
37From the Present to the Future
38From the Present to the Future
39From the Present to the Future
40From the Present to the Future
41From the Present to the Future
42From the Present to the Future
43From the Present to the Future
44Requirements for Future Security Intelligence
- Considerations
- Breadth of data to be considered
- Depth of knowledge to be understood
- Speed required for decision making
- Functional Objectives
- Remote Discovery of IP, Ports, Services,
Applications, Vulnerabilities, Operating Systems - Discovery of Network Transit Paths and
Countermeasures (vertices for all nodes) - Target System Valuations
- Integrated Counterintelligence of the Threat
- Continuous, Scheduled, Triggered, and Adhoc
discovery - Use of Baseline and Benchmarks (SP-800-70)
- Open Bi-directional Integration of Functionality
and Intelligence - Complete and Total Integration with the Business
Intelligence Systems
45Requirements for Future Security Intelligence
- Measure, Manage, and Reduce Operational Risk
through Security Intelligence
46Foreshadowing
- The biggest upcoming threat is mobile devices
- Pod Slurping
- Mobile Manager devices
- Massive storage, low profile devices
- Generally developed without security controls in
place - Designed for the mass market
- We are not prepared.
47Thank you
- mmurray_at_ncircle.com
- http//blog.ncircle.com