Where Modern Vulnerabilities Exist | Inside the Security Mind: Making the Tough Decisions

Security vulnerabilities are everywhere and in everything. Have you ever wondered why there are so many successful hackers breaking into systems? Do we really believe that every 17-year-old that breaks into a nuclear power plant is a super-genius? The fact of the matter is that you can't toss a pebble without striking an object that is vulnerable. The average hacker has only to sip a cup of hot cocoa while a scanning application looks across thousands of organizations for well-known vulnerabilities. The hacker may not even know what the vulnerability is or why it exists, but the newly downloaded scanner is pre-programmed with thousands of wiz-bang gadgets and exploits. Given a few hours, the hacker will find more vulnerable systems than he or she knows what to do with.

What Do I Mean by "Vulnerable?"

When an object is vulnerable, it simply means that the object can be affected in an undesirable way or allow for access to information and services without consent or control. When an exploit like a new buffer overflow attack is combined with a corresponding vulnerability like an unpatched Windows NT server, then "something bad happens." A system without a UPS/battery backup is vulnerable to power outages, just as an unpatched Linux box sitting on the Internet is vulnerable to a multitude of hacker tools.

The most common vulnerabilities are related to DoS threats, meaning given a specific set of conditions, a system or service will become unavailable for its normal use. An example would be a network-based overflow attack that stops email services from running, or an unexpected string of variables that causes a Web server to reboot. These incidents result in lost time, lost customers, and lost money.

On the more intense side, a vulnerability can also allow someone to gain access to read, modify, execute, or delete actual data on your system. Penetration attacks involve hackers attempting to gain access to systems, networks, and resources they are not authorized to access.

The Origin of Vulnerabilities

Vulnerabilities can come from anywhere or result from any number of circumstances. There are, however, two factors that seem to account for the majority of vulnerabilities: buggy software and human beings.

Buggy software The vast majority of vulnerabilities in digital technology originate from flaws in software. If the world's applications and operating systems were built with strong security measures in place, there would be far fewer problems in information security. Most of the security measures put in place, including firewalls and virus checkers, are there to keep hackers from exploiting the vulnerabilities in buggy applications and operating systems.
Humans Humans are another big source of vulnerability within an organization. Place the treasure in the largest, most elaborately secured treasure room and it will be a human that forgets to lock the front door. Whatever it is on our systems, in our networks, or in our physical areas, the ultimate power of security is in the hands of our employees, customers, and other related humans. Unfortunately, most of these humans do not have the proper training to manage such a large responsibility, thus resulting in numerous vulnerabilities.

Vulnerable Operating Systems

If anyone in your organization is using a workstation or server that is running any version of Windows, UNIX, or MacOS, then you have vulnerabilities; it's that simple. Perhaps these vulnerabilities have not yet been discovered, but every significant operating system is full of features that can be exploited to make the system act in an undesirable manner. The thousands of vulnerabilities we have today existed long before we even knew about them! Vulnerabilities that will be discovered next year are actually in our systems today. It is important to understand that when we hear about a new vulnerability being discovered, the vulnerability is not really "new," just "newly discovered." Someone may have known about it several years before and has been using it to silently sneak into systems around the world.

Writing an operating system requires a large staff of programmers who create millions of lines of code under a tight business-driven deadline. Mainstream operating systems like Windows and Solaris are full of millions of lines of hidden code that the public will most likely never have access to. This code is full of thousands of flaws that are nearly impossible to find, even for the handful of people who have access to view the code.

Windows 2000, for example, has more than 35 million lines of code in it, developed by multiple teams within multiple organizations. It would be quite impossible to make a profit if the staff was expected to fully test every line of code under every possible combination and event. It is also extremely difficult to ensure that the programming staff has not inserted its own intentional back doors into the code. Some organizations are better than others at avoiding vulnerabilities and malicious coding, but in reality, it is the general public who is truly expected to put the software to the ultimate test.

A classic example of this is the notorious "Ping of Death" from the mid-1990s. Most operating system developers programmed network utilities to operate within published IP standards, which included a limit on the size of the data within an IP packet (65535 octets, to be exact). Well, someone stumbled onto the simple fact that if you sent a tiny request called a "ping" to a system and gave it more than 65535 octets, most systems would react strangely. For example, many operating systems locked up, stopped talking on the network, and some even rebooted. Why? Because when the average programmer quickly slaps together a tiny program to respond to such "ping" requests, he or she often doesn't stop to consider teaching the program how to handle events that do not conform to the standards. They don't tell their applications, "Hey, if you get something over 65535, ignore it," and leave the systems to their own decisions. Simple mistakes like this made by programmers around the world are the cause of 99% of all vulnerabilities.

Significance of Operating System Vulnerabilities

The operating system should be viewed as the foundation on which the entire castle is built. If someone tunnels under the walls and takes out a support beam, then the walls will come crumbling down no matter how high they are. Likewise, if someone gains access to the operating system, it will be difficult to prevent him or her from gaining access to the rest of the system and the rest of the network.

One important task in information security is to keep operating systems from being hacked. Remember, an operating system controls the basic functionality of everything that is on a computer. The operating system typically has access to every file, every application, every user, and quite often, the history of all actions. The operating system also has the final say in many security-related decisions. If you can can control the operating system, you control just about every application and piece of data on the device.

Vulnerable Applications

Applications are very similar to operating systems. After all, what is an operating system but a giant application? Application vulnerabilities are very common, and most major applications on the market have vulnerabilities in them. The important difference between these vulnerabilities and operating system vulnerabilities has to do with the significance of the threat, which we will discuss in a moment.

The origin of most application vulnerabilities is somewhat similar to that of operating system vulnerabilities. Multiple programmers, working under a deadline, fail to place precautionary checks, and at the same time, make simple errors in the code. Applications are often written with standard programming languages and precompiled toolsets. A precompiled toolset is a part of the program that someone else developed; the application developer is simply including it in his or her application. For example, to make an application play music, the application programmer normally would not want to go through all the trouble of writing hundreds of lines of code when a standard music function has already been written by someone else. Thus, the programmer will pay a fee and insert someone else's code (which they cannot read) into the application and continue on with life. Sadly, such code often has flaws and vulnerabilities that the programmer is unaware of. Subsequently, the programmer has just introduced vulnerabilities into the application, vulnerabilities that the developer has no chance of ever seeing or fixing.

Significance of Application Vulnerabilities

When considering the significance of an application vulnerability, it is important to think in terms of relational security and avoid focusing on just the application itself. Applications have several significant security relations that extend beyond functionality and services. The application has a relationship with its hosting computer, the network it is on, the data it processes, and the clients that access it.

Data relationship Most applications have some form of data for which they are directly responsible. Accounting software has corporate figures, email applications have business communications, and a memo system may have a reminder to pick up eggs on the way home. A primary concern in considering application security is this data. If the application has some form of vulnerability that allows access from undesirable parties, then that data is at risk.
Operating system relationship Every application must have some relationship to the operating system on which it exists. Of course, every operating system and every application work differently, but the operating system must allow the application some control over resources for it to function. Most operating systems grant the application a login, as if the application was a person authenticating into the system. Oftentimes, to simplify administration, applications are designed to run as the administrator or root user of the operating system, and, therefore, have access to many other things within the hosting system (of course, this is in violation of the Rule of Least Privilege). When such applications are compromised, access to the operating system can often be obtained as well.
Application clients The application also shares its vulnerabilities with the clients that access its services. If the application is available to other users, shared on a network, or otherwise capable of handling requests from external sources, the application must share a relationship with all the clients connecting to it. If a hacker is able to manipulate the application's service, he or she can potentially affect all the clients accessing that service as well. A compromised DNS server may send a client who is accessing a bank account over the Internet to a hacker site disguised as the intended bank; a compromised Web server may go so far as to transmit a virus or worm down to the clients reading its pages.

Vulnerable Networks

Our networks are the series of roads, paths, and tunnels that connect our kingdoms to the rest of the world. Some of these roads are wide, clean, and well-lit, while others are narrow, dark, and cross through the backyards of some very questionable characters. Down these roads come many travelers, seeking information and services. These travelers come from unknown locations and can provide little in the way of identification or proof of intent. The requirements for protecting the castle are multiplied by the number of roads that lead to it.

Where Are the Network Vulnerabilities?

The average network consists of many components. Telecommunication lines connect buildings around the world. Routers work to direct communications to and from the proper parties. Hubs and switches distribute communications across numerous devices. Networks also include the desktops, servers, operating systems, and applications connected to them. Therefore, we must widen our focus a bit when considering where a network can be vulnerable. A vulnerable network is simply a network that can be accessed or manipulated without consent. This means that if any device on a network, including the routers, switches, servers, workstations, or even the wires themselves is compromised, the network itself is compromised. Therefore, the network shares its vulnerabilities with all devices attached to it.

Significance of Network Vulnerabilities

A vulnerability in a network is simply a door through which an attacker can attempt to gain access to communications and devices. Once access is obtained, the hacker can steal information and services, or simply stop them from functioning. The two common concerns with network vulnerabilities have to do with vulnerable access points and communications.

Vulnerable access points When an attacker has gained access to a network via an internal system, device, or service, the hacker has gained direct access to the other systems and services around it. Perhaps there is only a single vulnerability within the organization that can be seen from the outside, but once that vulnerability has been exploited, the attacker is now on the inside of the network and can see the remaining vulnerabilities and weaknesses. Thus, a compromised object in an internal network can lead to the compromise of other objects within the network.
Vulnerable communications When a device communicates with any other device, the information and actions exchanged are vulnerable to interception and manipulation. Common networking communication protocols such as the Transmission Control Protocol/Internet Protocol (TCP/IP) were not built around the concept of security, which makes standard channels of communication often vulnerable to attack. With networks, access is obtainable by anyone and everyone in the path of communication.

Network sniffing is a very common method through which hackers can gain amazing results. Through a network, an attacker can listen to email communications, gather passwords, obtain files, and discover many things about an organization. Since sniffing only requires the hacker to listen somewhere in the line of communication, there are many hidden areas where an attacker could passively exist.

Communications are also subject to manipulation. A hacker attempting to gain access to a resource may wait for a valid communication to take place and then take control of that communication. A hacker can also wait for a valid user to access his or her account, record the authentication process, and then replay this authentication process later to gain access (a replay attack).

Special Considerations for Network Communications

Similar to a phone call, when we communicate with various parties on the Internet, through WANs or over direct modem dialing, information is traversing devices over which we have little or no control. Take the case of dialing with a modem between two computers. The data communication between these systems is pushed through miles of wires and several phone switches before being received. This information must be considered vulnerable at every point from where the communication left the first modem and entered the second.

On an Ethernet network, the vulnerability is even more severe. Tapping into a local area network (LAN), WAN, or Internet communication exchange simply requires free hacking tools and a computer or device that exists somewhere in the path of the communication. Send an email from anywhere to anywhere and you can be sure there are several people that have the opportunity to intercept it.

Physical Vulnerabilities

Physical vulnerabilities are often overlooked when an organization considers security. What many people don't realize, however, is that operating systems, applications, and networks all rely on the physical security of the devices themselves. How can we secure data or services if the systems on which they exist are not secure?

Where Are the Physical Vulnerabilities?

Physical vulnerabilities include any physical component of a system or device that could be exploited for an attack. They comprise everything from the keyboard attached to a server to the power plug behind it. To properly operate and maintain a system, there must be some form of physical access to it, and by physically being able to touch a computer, one has a great deal of control over it. A hacker, for example, could bang away on a keyboard trying to gain access, or he or she could simply unplug the machine and cart it off the premises.

Commonly, a system or device can be fully compromised by physically accessing it. Many organizations, for example, do not configure passwords for the physical connection (console) port on routers. This means that in many environments, a hacker could simply walk in with a laptop and plug into a router to perform basic configuration options. Even simpler, a hacker could stroll casually into the average server room and will often find unattended systems that have been logged in as root or administrator. In such cases, the hacker could simply take a few moments to create an account that will give total control of the system, and then leave to perform the rest of the hacking remotely.

Significance of Physical Vulnerabilities

Similar to how operating system vulnerabilities can affect the security of applications, a physical vulnerability can affect the security of everything in the area. A hacker with access to someone's workstation has many options that would otherwise be unavailable. Likewise, an attacker that can physically plug into an internal Ethernet port has the unlimited potential to compromise every system, device, and link connected to that network. When such physical vulnerabilities are allowed to exist, it greatly diminishes the security of every system, device, and network communication within the organization.

Chained Vulnerabilities

Vulnerabilities should not be seen independently, but as an interlinking chain of dependence such as is illustrated in Figure 7.1. Holes in security are most often formed through a series of minor vulnerabilities that, considered individually, appear to have no major effect on an organization's security. However, by chaining two or more of these minor vulnerabilities together, hackers frequently find ways of compromising security. Likewise, major security violations are most often composed of small events, which would independently be considered "normal" and not raise any flags. It is by forming a series of normal events into a malicious chain that many attacks actually occur. Because we make ourselves vulnerable through a series of chains, it would only be logical that hackers could attack us by reverse-engineering such chains. We must be certain to be conscious of the chain of events surrounding any given situation, thus we should widen our focus in accordance with the virtues and rules of security.

Figure 7.1. Security Dependencies.

graphics/07fig01.jpg

It is extremely important for those associated with the security of an organization to be constantly thinking about chains. All too often, a security administrator will open a port on the firewall or make an exception to the security rules simply because it seems like a minor vulnerability. Unfortunately, it is often difficult to comprehend the complete chain of vulnerabilities that are related to everyday actions. This is another reason why it is vital that organizations focus on the rules and higher security principles, and avoid making numerous exceptions. This makes it important to follow the concept of "creating stillness" by having filtered logs for a clear understanding and an unfiltered backup for following seemingly unimportant events (see Chapter 5, Developing a Higher Security Mind). Many successful attacks go unnoticed simply because the hacker used a chain of seemingly unimportant events that were never investigated.