|
|
|
|
Don't Panic. Plan
|
 |
|
May 1, 2003
By Mike Fratto
|
>> continued from previous page
Control the Things You Can
A large number of tools attack well-known vulnerabilities for which patches or workarounds are available. It's not uncommon to find two- to three-year-old vulnerabilities in systems on the Internet. Let's face it: There are so many vulnerabilities that it's hard to avoid some weaknesses in a system. Roughly 3,920 new vulnerabilities were discovered between January 2000 and March 3, 2003, according to data from the ICAT Metabase. Of that total, nearly 1,400 remote vulnerabilities are classified as high severity, meaning an account can be had on the target and the target can be taken over (see "Local and Remote Vulnerabilities by Severity Since 2000").
The overwhelming loss type with a high severity classification is security protection (see "Loss Type by Severity Since 2000,"). Security protection is defined by ICAT as giving the attacker privileges he or she is not allowed to have according to your access-control policy. Security protection can be subclassified as "obtain all privileges such as root or administrator," and "obtain some privileges," which corresponds to access less than root or administrator. It's not surprising that security protection has the highest number of vulnerabilities because the goal of most attacks is to get shell access via a command prompt or by executing commands through a vulnerable application on the remote system. Once shell access is gained, you can kiss your protection good-bye.
|
|
The types of vulnerabilities indicate where the bulk of vulnerability searching is focused and where weaknesses can be found: Error classes are designations indicating the type of error condition. Input validation, design and boundary errors (see "Vulnerabilities by Error Class,") make up the lion's share of vulnerabilities as classified by Bugtraq's Security Focus team. Input validation describes a vulnerability where input is not validated as syntactically correct or the application doesn't correctly handle extraneous or missing fields. As more applications are ported to a Web model, we expect to see more input validation-class attacks. In contrast, boundary errors are buffer overflows where an attacker exploits a programming error that allows the attacker to execute code. Design errors are more difficult to correct and range from poorly implemented algorithms to shoddily designed user interfaces.
Using ICAT or Bugtraq, you can get a feel for known vulnerabilities and, provided you keep current with patches and subscribe to vulnerability mailing lists or your vendors' security lists, you can mitigate the risk of connecting to the Internet (for a review of patching products see, "PatchLink Helps Keep Windows Closed"). Although there are many rumblings of zero-day exploits--malicious attempts to take advantage of a flaw before the vendor issues a fix--there are few identifiable examples. The best you can do is keep your systems patched, implement appropriate security measures, and root for the good guys.
Thanks to ISS; the NIST ICAT team; Johannes Ullrich, CTO for the Internet Storm Center; CAIDA; and the Bugtraq community for supplying data and answering (often numerous) questions during the preparation of this article.
Mike fratto is a senior technology editor based in Network Computing's Syracuse University Real-World Labs®; he covers all security-related topics. Prior to joining this magazine, Mike worked as an independent consultant in central New York. Write to him at mfratto@nwc.com.
Post a comment or question on this story.
|
|
|
|
|
|
|
|
RSS
