Title: Vulnerabilities and Threats: The Past, Present and Future
1Vulnerabilities and Threats The Past, Present
and Future
- Mike Murray - Director of Vulnerability Research
- March 29, 2006
2Intro
- The Past Pen-Testing and Vulnerability
Assessment - The Present Vulnerability Management
- The Future
- Disclaimers
- Information Technology Focused
- Vendor Neutral
- Objectives
- Present information to help you understand your
information security strategy today and tomorrow
3The Birth of Vulnerability Assessment
4The Birth of Vulnerability Assessment
5Security Configuration Weaknesses
- The Earliest Discovery
- Exploits mostly human weakness in setting up
operating systems - Simple class of attacks
- Exploiting access control failures
- Improper Directory permissions
- Unrestricted access to servers
- Failures in trust relationships
- Grabbing password files
- Incorrect program behavior
- Debug Interfaces
- Attackers were unsophisticated
6The Buffer Overflow
- Phrack 49 - November 8, 1996.
- Aleph1 - Smashing the Stack for Fun and Profit
- The first real sophisticated vulnerabilities
start to emerge - A buffer overflow required knowledge of assembly
and coding skill - Hackers now had to be more technical
- Readily available exploit code actually makes
breaking in to computers easier - The golden age of server hacking begins.
7Past Vulnerability Assessment
Delivery Point Shoot Software
Asset Architecture Run-to-completion Scripts (NASL, FASL, CASL, etc)
Design Objective Hyper-Focused on finding Vulnerabilities
Principles Invasive and Proud of it
Skill Level of User Subject Matter Expert Required
Functional Goal Find Vulnerabilities
8The Birth of Vulnerability Management (agent-less)
Lightning Console/Nessus
2004
9The Birth of Vulnerability Management (agent-less)
Lightning Console/Nessus
2004
Buffer Overflows Increase Sophistication
New Attack Vectors emerge
10Memory Attack Sophistication
- Buffer overflows become more sophisticated
- Polymorphic shell-code
- More advanced use of memory spaces
- Design to evade detective controls
- Other memory-based attacks
- Format String attacks
- Integer Overflow attacks
11New Attack Vectors Emerge
- Web-based applications become a target
- As web-apps become common, researchers target web
apps - SQL Injection, XSS, access control breaches
- Data driven attacks
- Begin to see browser attacks
- Internet Explorer proves vulnerable
12From the Past to the Present
Delivery Point Shoot Software
Asset Architecture Run-to-completion Scripts (NASL, FASL, CASL, etc)
Design Objective Hyper-Focused on finding Vulnerabilities
Principles Invasive and Proud of it
Skill Level of User Subject Matter Expert Required
Functional Goal Find Vulnerabilities
13From the Past to the Present
Delivery Infrastructure Centrally Managed Always On
Asset Architecture Run-to-completion Scripts (NASL, FASL, CASL, etc)
Design Objective Hyper-Focused on finding Vulnerabilities
Principles Invasive and Proud of it
Skill Level of User Subject Matter Expert Required
Functional Goal Find Vulnerabilities
14From the Past to the Present
Delivery Infrastructure Centrally Managed Always On
Asset Architecture Run-to-completion Scripts (NASL, FASL, CASL, etc)
Design Objective Hyper-Focused on finding Vulnerabilities
Principles Invasive and Proud of it
Skill Level of User Subject Matter Expert Required
Functional Goal Find Vulnerabilities
15From the Past to the Present
Delivery Infrastructure Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
Design Objective Hyper-Focused on finding Vulnerabilities
Principles Invasive and Proud of it
Skill Level of User Subject Matter Expert Required
Functional Goal Find Vulnerabilities
16From the Past to the Present
Delivery Infrastructure Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
Design Objective Hyper-Focused on finding Vulnerabilities
Principles Invasive and Proud of it
Skill Level of User Subject Matter Expert Required
Functional Goal Find Vulnerabilities
17From the Past to the Present
Delivery Infrastructure Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
Design Objective Find Defects and Manage to Resolution
Principles Invasive and Proud of it
Skill Level of User Subject Matter Expert Required
Functional Goal Find Vulnerabilities
18From the Past to the Present
Delivery Infrastructure Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
Design Objective Find Defects and Manage to Resolution
Principles Invasive and Proud of it
Skill Level of User Subject Matter Expert Required
Functional Goal Find Vulnerabilities
19From the Past to the Present
Delivery Infrastructure Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
Design Objective Find Defects and Manage to Resolution
Principles Non-Invasive Continuous
Skill Level of User Subject Matter Expert Required
Functional Goal Find Vulnerabilities
20From the Past to the Present
Delivery Infrastructure Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
Design Objective Find Defects and Manage to Resolution
Principles Non-Invasive Continuous
Skill Level of User Subject Matter Expert Required
Functional Goal Find Vulnerabilities
21From the Past to the Present
Delivery Infrastructure Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
Design Objective Find Defects and Manage to Resolution
Principles Non-Invasive Continuous
Skill Level of User Technical Expert Required
Functional Goal Find Vulnerabilities
22From the Past to the Present
Delivery Infrastructure Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
Design Objective Find Defects and Manage to Resolution
Principles Non-Invasive Continuous
Skill Level of User Technical Expert Required
Functional Goal Find Vulnerabilities
23From the Past to the Present
Delivery Infrastructure Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
Design Objective Find Defects and Manage to Resolution
Principles Non-Invasive Continuous
Skill Level of User Technical Expert Required
Functional Goal Find Vulnerabilities and Manage them through a lifecycle
24The Present
nTellect Product
SIH Product
2005
2007
2006
Client Side Attacks Are Key
Human attacks increase
25Client-side attacks
- Microsoft hardens their operating systems
- As massive server-based vulnerabilities
disappear, client interaction becomes key - We see the majority of issues affect the client
- Major exploits require user-interaction
- Email
- Web-page viewing
- Opening of attachments
26Human Weakness
- Attacks rely on social engineering
- Phishing
- Spyware/Adware/bot installations
- Exploiting by providing value
- We have come full-circle
- Humans are, in general, weaker than computers.
27Present Vulnerability Management
Delivery Infrastructure Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
Design Objectives Find Defects and Manage to Resolution
Principles Non-Invasive Continuous
Skill Level of User Technical Expert Required
Functional Goals Find Vulnerabilities and Manage them through a lifecycle
- Gartners "grand unified theory of security," has
defined Vulnerability Management as one of four
high-level security processes that are key to the
effectiveness and efficiency of enterprise
security.
28Creating a Balanced Security Ecosystem
29Measure, Manage, Reduce Risk
- Obstacles
- Enumeration of Vulnerabilities is an insufficient
set - The consumer of this information is no longer the
security geeks - Risk related information is fragmented and out of
sync - Requirements for the future
- Risk related Intelligence that allows for proper
preemptive, preventive, and protective actions to
be taken. - Risk related Intelligence integrated with both
other technologies and the processes of the
enterprise - Risk related Intelligence that drives the
decision-making ability of the business - Less is more
30Managing Risk Across the Enterprise
Ira Winkler Dan Ryan
31Definitions
- Vulnerability \VulnerabilIty\, n.
- The quality or state of being vulnerable
- Threat \thret\, n.
- Intelligence of something that is a source of
danger - Countermeasures \Countermeasure\, n.
- an action taken to offset another action
- Valuation \Valuation\, n.
- the act of estimating value or worth the value
set upon a thing
32From the Present to the Future
Delivery Infrastructure Centrally Managed Always On
Asset Architecture Advanced Scripts and High Level Languages
Design Objective Find Defects and Manage to Resolution
Principles Non-Invasive Continuous
Skill Level of User Technical Expert Required
Functional Goal Find Vulnerabilities and Manage them through a lifecycle
33From the Present to the Future
Delivery Infrastructure Distributed
Asset Architecture Advanced Scripts and High Level Languages
Design Objective Find Defects and Manage to Resolution
Principles Non-Invasive Continuous
Skill Level of User Technical Expert Required
Functional Goal Find Vulnerabilities and Manage them through a lifecycle
34From the Present to the Future
Delivery Infrastructure Distributed
Asset Architecture Advanced Scripts and High Level Languages
Design Objective Find Defects and Manage to Resolution
Principles Non-Invasive Continuous
Skill Level of User Technical Expert Required
Functional Goal Find Vulnerabilities and Manage them through a lifecycle
35From the Present to the Future
Delivery Infrastructure Distributed
Asset Architecture Ontology of end-point state
Design Objective Find Defects and Manage to Resolution
Principles Non-Invasive Continuous
Skill Level of User Technical Expert Required
Functional Goal Find Vulnerabilities and Manage them through a lifecycle
36From the Present to the Future
Delivery Infrastructure Distributed
Asset Architecture Ontology of end-point state
Design Objective Find Defects and Manage to Resolution
Principles Non-Invasive Continuous
Skill Level of User Technical Expert Required
Functional Goal Find Vulnerabilities and Manage them through a lifecycle
37From the Present to the Future
Delivery Infrastructure Distributed
Asset Architecture Ontology of end-point state
Design Objective Experts system providing intelligence and automation
Principles Non-Invasive Continuous
Skill Level of User Technical Expert Required
Functional Goal Find Vulnerabilities and Manage them through a lifecycle
38From the Present to the Future
Delivery Infrastructure Distributed
Asset Architecture Ontology of end-point state
Design Objective Experts system providing intelligence and automation
Principles Non-Invasive Continious
Skill Level of User Technical Expert Required
Functional Goal Find Vulnerabilities and Manage them through a lifecycle
39From the Present to the Future
Delivery Infrastructure Distributed
Asset Architecture Ontology of end-point state
Design Objective Experts system providing intelligence and automation
Principles Observe, Orient, Decide and Act
Skill Level of User Technical Expert Required
Functional Goal Find Vulnerabilities and Manage them through a lifecycle
40From the Present to the Future
Delivery Infrastructure Distributed
Asset Architecture Ontology of end-point state
Design Objective Experts system providing intelligence and automation
Principles Observe, Orient, Decide and Act
Skill Level of User Technical Expert Required
Functional Goal Find Vulnerabilities and Manage them through a lifecycle
41From the Present to the Future
Delivery Infrastructure Distributed
Asset Architecture Ontology of end-point state
Design Objective Experts system providing intelligence and automation
Principles Observe, Orient, Decide and Act
Skill Level of User All Levels of the Organization
Functional Goal Find Vulnerabilities and Manage them through a lifecycle
42From the Present to the Future
Delivery Infrastructure Distributed
Asset Architecture Ontology of end-point state
Design Objective Experts system providing intelligence and automation
Principles Observe, Orient, Decide and Act
Skill Level of User All Levels of the Organization
Functional Goal Find Vulnerabilities and Manage them through a lifecycle
43From the Present to the Future
Delivery Infrastructure Distributed
Asset Architecture Ontology of end-point state
Design Objective Experts system providing intelligence and automation
Principles Observe, Orient, Decide and Act
Skill Level of User All Levels of the Organization
Functional Goal Provide the Security Intelligence needed to measure, managed and reduce operational risk
44Requirements for Future Security Intelligence
- Considerations
- Breadth of data to be considered
- Depth of knowledge to be understood
- Speed required for decision making
- Functional Objectives
- Remote Discovery of IP, Ports, Services,
Applications, Vulnerabilities, Operating Systems - Discovery of Network Transit Paths and
Countermeasures (vertices for all nodes) - Target System Valuations
- Integrated Counterintelligence of the Threat
- Continuous, Scheduled, Triggered, and Adhoc
discovery - Use of Baseline and Benchmarks (SP-800-70)
- Open Bi-directional Integration of Functionality
and Intelligence - Complete and Total Integration with the Business
Intelligence Systems
45Requirements for Future Security Intelligence
- Measure, Manage, and Reduce Operational Risk
through Security Intelligence
46Foreshadowing
- The biggest upcoming threat is mobile devices
- Pod Slurping
- Mobile Manager devices
- Massive storage, low profile devices
- Generally developed without security controls in
place - Designed for the mass market
- We are not prepared.
47Thank you
- mmurray_at_ncircle.com
- http//blog.ncircle.com