Vulnerabilities and Threats: The Past, Present and Future

1
Vulnerabilities and Threats The Past, Present
and Future

• Mike Murray - Director of Vulnerability Research
• March 29, 2006

2
Intro

• The Past Pen-Testing and Vulnerability
  Assessment
• The Present Vulnerability Management
• The Future
• Disclaimers
• Information Technology Focused
• Vendor Neutral
• Objectives
• Present information to help you understand your
  information security strategy today and tomorrow

3
The Birth of Vulnerability Assessment
4
The Birth of Vulnerability Assessment
5
Security Configuration Weaknesses

• The Earliest Discovery
• Exploits mostly human weakness in setting up
  operating systems
• Simple class of attacks
• Exploiting access control failures
• Improper Directory permissions
• Unrestricted access to servers
• Failures in trust relationships
• Grabbing password files
• Incorrect program behavior
• Debug Interfaces
• Attackers were unsophisticated

6
The Buffer Overflow

• Phrack 49 - November 8, 1996.
• Aleph1 - Smashing the Stack for Fun and Profit
• The first real sophisticated vulnerabilities
  start to emerge
• A buffer overflow required knowledge of assembly
  and coding skill
• Hackers now had to be more technical
• Readily available exploit code actually makes
  breaking in to computers easier
• The golden age of server hacking begins.

7
Past Vulnerability Assessment
Delivery Point Shoot Software
Asset Architecture Run-to-completion Scripts (NASL, FASL, CASL, etc)
Design Objective Hyper-Focused on finding Vulnerabilities
Principles Invasive and Proud of it
Skill Level of User Subject Matter Expert Required
Functional Goal Find Vulnerabilities
8
The Birth of Vulnerability Management (agent-less)
Lightning Console/Nessus
2004
9
The Birth of Vulnerability Management (agent-less)
Lightning Console/Nessus
2004
Buffer Overflows Increase Sophistication
New Attack Vectors emerge
10
Memory Attack Sophistication

• Buffer overflows become more sophisticated
• Polymorphic shell-code
• More advanced use of memory spaces
• Design to evade detective controls
• Other memory-based attacks
• Format String attacks
• Integer Overflow attacks

11
New Attack Vectors Emerge

• Web-based applications become a target
• As web-apps become common, researchers target web
  apps
• SQL Injection, XSS, access control breaches
• Data driven attacks
• Begin to see browser attacks
• Internet Explorer proves vulnerable

12
From the Past to the Present
Delivery Point Shoot Software
Asset Architecture Run-to-completion Scripts (NASL, FASL, CASL, etc)
Design Objective Hyper-Focused on finding Vulnerabilities
Principles Invasive and Proud of it
Skill Level of User Subject Matter Expert Required
Functional Goal Find Vulnerabilities
13
From the Past to the Present
Delivery Infrastructure Centrally Managed Always On
Asset Architecture Run-to-completion Scripts (NASL, FASL, CASL, etc)
Design Objective Hyper-Focused on finding Vulnerabilities
Principles Invasive and Proud of it
Skill Level of User Subject Matter Expert Required
Functional Goal Find Vulnerabilities
14
From the Past to the Present
Delivery Infrastructure Centrally Managed Always On
Asset Architecture Run-to-completion Scripts (NASL, FASL, CASL, etc)
Design Objective Hyper-Focused on finding Vulnerabilities
Principles Invasive and Proud of it
Skill Level of User Subject Matter Expert Required
Functional Goal Find Vulnerabilities
15
From the Past to the Present
Delivery Infrastructure Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
Design Objective Hyper-Focused on finding Vulnerabilities
Principles Invasive and Proud of it
Skill Level of User Subject Matter Expert Required
Functional Goal Find Vulnerabilities
16
From the Past to the Present
Delivery Infrastructure Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
Design Objective Hyper-Focused on finding Vulnerabilities
Principles Invasive and Proud of it
Skill Level of User Subject Matter Expert Required
Functional Goal Find Vulnerabilities
17
From the Past to the Present
Delivery Infrastructure Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
Design Objective Find Defects and Manage to Resolution
Principles Invasive and Proud of it
Skill Level of User Subject Matter Expert Required
Functional Goal Find Vulnerabilities
18
From the Past to the Present
Delivery Infrastructure Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
Design Objective Find Defects and Manage to Resolution
Principles Invasive and Proud of it
Skill Level of User Subject Matter Expert Required
Functional Goal Find Vulnerabilities
19
From the Past to the Present
Delivery Infrastructure Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
Design Objective Find Defects and Manage to Resolution
Principles Non-Invasive Continuous
Skill Level of User Subject Matter Expert Required
Functional Goal Find Vulnerabilities
20
From the Past to the Present
Delivery Infrastructure Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
Design Objective Find Defects and Manage to Resolution
Principles Non-Invasive Continuous
Skill Level of User Subject Matter Expert Required
Functional Goal Find Vulnerabilities
21
From the Past to the Present
Delivery Infrastructure Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
Design Objective Find Defects and Manage to Resolution
Principles Non-Invasive Continuous
Skill Level of User Technical Expert Required
Functional Goal Find Vulnerabilities
22
From the Past to the Present
Delivery Infrastructure Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
Design Objective Find Defects and Manage to Resolution
Principles Non-Invasive Continuous
Skill Level of User Technical Expert Required
Functional Goal Find Vulnerabilities
23
From the Past to the Present
Delivery Infrastructure Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
Design Objective Find Defects and Manage to Resolution
Principles Non-Invasive Continuous
Skill Level of User Technical Expert Required
Functional Goal Find Vulnerabilities and Manage them through a lifecycle
24
The Present
nTellect Product
SIH Product
2005
2007
2006
Client Side Attacks Are Key
Human attacks increase
25
Client-side attacks

• Microsoft hardens their operating systems
• As massive server-based vulnerabilities
  disappear, client interaction becomes key
• We see the majority of issues affect the client
• Major exploits require user-interaction
• Email
• Web-page viewing
• Opening of attachments

26
Human Weakness

• Attacks rely on social engineering
• Phishing
• Spyware/Adware/bot installations
• Exploiting by providing value
• We have come full-circle
• Humans are, in general, weaker than computers.

27
Present Vulnerability Management
Delivery Infrastructure Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
Design Objectives Find Defects and Manage to Resolution
Principles Non-Invasive Continuous
Skill Level of User Technical Expert Required
Functional Goals Find Vulnerabilities and Manage them through a lifecycle

• Gartners "grand unified theory of security," has
  defined Vulnerability Management as one of four
  high-level security processes that are key to the
  effectiveness and efficiency of enterprise
  security.

28
Creating a Balanced Security Ecosystem
29
Measure, Manage, Reduce Risk

• Obstacles
• Enumeration of Vulnerabilities is an insufficient
  set
• The consumer of this information is no longer the
  security geeks
• Risk related information is fragmented and out of
  sync
• Requirements for the future
• Risk related Intelligence that allows for proper
  preemptive, preventive, and protective actions to
  be taken.
• Risk related Intelligence integrated with both
  other technologies and the processes of the
  enterprise
• Risk related Intelligence that drives the
  decision-making ability of the business
• Less is more

30
Managing Risk Across the Enterprise
Ira Winkler Dan Ryan
31
Definitions

• Vulnerability \VulnerabilIty\, n.
• The quality or state of being vulnerable
• Threat \thret\, n.
• Intelligence of something that is a source of
  danger
• Countermeasures \Countermeasure\, n.
• an action taken to offset another action
• Valuation \Valuation\, n.
• the act of estimating value or worth the value
  set upon a thing

32
From the Present to the Future
Delivery Infrastructure Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
Design Objective Find Defects and Manage to Resolution
Principles Non-Invasive Continuous
Skill Level of User Technical Expert Required
Functional Goal Find Vulnerabilities and Manage them through a lifecycle
33
From the Present to the Future
Delivery Infrastructure Distributed
Asset Architecture Advanced Scripts and High Level Languages
Design Objective Find Defects and Manage to Resolution
Principles Non-Invasive Continuous
Skill Level of User Technical Expert Required
Functional Goal Find Vulnerabilities and Manage them through a lifecycle
34
From the Present to the Future
Delivery Infrastructure Distributed
Asset Architecture Advanced Scripts and High Level Languages
Design Objective Find Defects and Manage to Resolution
Principles Non-Invasive Continuous
Skill Level of User Technical Expert Required
Functional Goal Find Vulnerabilities and Manage them through a lifecycle
35
From the Present to the Future
Delivery Infrastructure Distributed
Asset Architecture Ontology of end-point state
Design Objective Find Defects and Manage to Resolution
Principles Non-Invasive Continuous
Skill Level of User Technical Expert Required
Functional Goal Find Vulnerabilities and Manage them through a lifecycle
36
From the Present to the Future
Delivery Infrastructure Distributed
Asset Architecture Ontology of end-point state
Design Objective Find Defects and Manage to Resolution
Principles Non-Invasive Continuous
Skill Level of User Technical Expert Required
Functional Goal Find Vulnerabilities and Manage them through a lifecycle
37
From the Present to the Future
Delivery Infrastructure Distributed
Asset Architecture Ontology of end-point state
Design Objective Experts system providing intelligence and automation
Principles Non-Invasive Continuous
Skill Level of User Technical Expert Required
Functional Goal Find Vulnerabilities and Manage them through a lifecycle
38
From the Present to the Future
Delivery Infrastructure Distributed
Asset Architecture Ontology of end-point state
Design Objective Experts system providing intelligence and automation
Principles Non-Invasive Continious
Skill Level of User Technical Expert Required
Functional Goal Find Vulnerabilities and Manage them through a lifecycle
39
From the Present to the Future
Delivery Infrastructure Distributed
Asset Architecture Ontology of end-point state
Design Objective Experts system providing intelligence and automation
Principles Observe, Orient, Decide and Act
Skill Level of User Technical Expert Required
Functional Goal Find Vulnerabilities and Manage them through a lifecycle
40
From the Present to the Future
Delivery Infrastructure Distributed
Asset Architecture Ontology of end-point state
Design Objective Experts system providing intelligence and automation
Principles Observe, Orient, Decide and Act
Skill Level of User Technical Expert Required
Functional Goal Find Vulnerabilities and Manage them through a lifecycle
41
From the Present to the Future
Delivery Infrastructure Distributed
Asset Architecture Ontology of end-point state
Design Objective Experts system providing intelligence and automation
Principles Observe, Orient, Decide and Act
Skill Level of User All Levels of the Organization
Functional Goal Find Vulnerabilities and Manage them through a lifecycle
42
From the Present to the Future
Delivery Infrastructure Distributed
Asset Architecture Ontology of end-point state
Design Objective Experts system providing intelligence and automation
Principles Observe, Orient, Decide and Act
Skill Level of User All Levels of the Organization
Functional Goal Find Vulnerabilities and Manage them through a lifecycle
43
From the Present to the Future
Delivery Infrastructure Distributed
Asset Architecture Ontology of end-point state
Design Objective Experts system providing intelligence and automation
Principles Observe, Orient, Decide and Act
Skill Level of User All Levels of the Organization
Functional Goal Provide the Security Intelligence needed to measure, managed and reduce operational risk
44
Requirements for Future Security Intelligence

• Considerations
• Breadth of data to be considered
• Depth of knowledge to be understood
• Speed required for decision making
• Functional Objectives
• Remote Discovery of IP, Ports, Services,
  Applications, Vulnerabilities, Operating Systems
• Discovery of Network Transit Paths and
  Countermeasures (vertices for all nodes)
• Target System Valuations
• Integrated Counterintelligence of the Threat
• Continuous, Scheduled, Triggered, and Adhoc
  discovery
• Use of Baseline and Benchmarks (SP-800-70)
• Open Bi-directional Integration of Functionality
  and Intelligence
• Complete and Total Integration with the Business
  Intelligence Systems

45
Requirements for Future Security Intelligence

• Measure, Manage, and Reduce Operational Risk
  through Security Intelligence

46
Foreshadowing

• The biggest upcoming threat is mobile devices
• Pod Slurping
• Mobile Manager devices
• Massive storage, low profile devices
• Generally developed without security controls in
  place
• Designed for the mass market
• We are not prepared.

47
Thank you

• mmurray_at_ncircle.com
• http//blog.ncircle.com