Vulnerabilities
A vulnerability is any characteristic of an information system that can result in the implementation of a threat if exploited by an intruder. A threat to the information system is any possible event, action, process or phenomenon that can potentially inflict damage on system resources.
| An Error in Software Code Resulted in a Space Rocket Explosion | On June 4, 1996 at 9:33:59 a.m., the Ariane 5 rocket attempted its first take-off at a rocket site in French Guiana. The rocket took off and, 40 seconds afterwards, it exploded when it was 50 meters in the air. According to various data sources, the explosion caused $500 million to $6 billion of damages. A month and a half later, on July 19, a committee investigating the cause of this crash published a detailed report stating that the explosion was caused by an overflow error in the software of the on-board computer. |
Classification of Vulnerabilities
If you want to devote your efforts to searching and eliminating vulnerabilities, it is necessary to classify them efficiently. If you have no systematic information on either the vulnerabilities or the frequency of their arrival, you can not distribute your limited resources effectively in order to achieve the goal you have set for yourself.
My intentions were not to develop a vulnerability classification and to publish it in this book. Rather, my intentions were more practical. However, it is necessary to characterize the main trends of investigations in this area. This is necessary for IS professionals in order to understand the full importance of this work and its possible complications.
One of the first investigations in this area took place in the mid-70s as a part of the Protection Analysis Project, and was aimed at investigating the vulnerabilities of various operating systems. Within several years, the project participants published articles describing vulnerability categories and vulnerability detection methods. The suggested methods of detection were based on the patterns they had found. The main purpose of the project was to develop ways of searching for vulnerabilities that would not require that personnel be particularly knowledgeable in the field of informational security. However, the methods developed as a result of this investigation could not be easily automated, and the resulting vulnerability database was never published [Aslam1-96].
At approximately the same time, the RISOS project took place. The aims of this project were to classify the vulnerabilities of existing operating systems, and to suggest methods to eliminate them. The operating systems OS/MVT, UNIVAC, and TENEX were studied in the course of this investigation. However, the vulnerability categories developed as a result of this project were too general, which led to ambiguities, such as including the same vulnerability in two different categories.
In 1996, the COAST laboratory at Purdue University developed its own classification [Aslam-96]. Internet Security Systems (ISS) independently developed another one [ISS1-99], which lists the following types of vulnerabilities:
-
Vulnerabilities implemented or created by a vendor (developer) of software or hardware
-
Vulnerabilities added by an administrator in the course of the configuration and management of system components
-
Vulnerabilities introduced by the user in the course of working with the system
Vulnerabilities implemented by the vendor (developer) include the following: errors, OS patches, and hotfixes that were not installed, vulnerable services and configurations that are insecure by default.
Vulnerabilities related to the actions of an administrator include available, but incorrectly used, system settings and parameters, which do not satisfy the requirements of a security policy (for example, the requirements for a minimum password length or unauthorized changes to the system's configuration).
Vulnerabilities related to user activity include non-observance of the rules specified by the security policy, such as neglecting to start anti-virus scanners, using modems to access the Internet bypassing the firewalls, and other, more dangerous actions.
From my own practical experience, I have worked out a somewhat different classification, reflecting the various stages of an information system's life cycle (Table 2.1).
 |
| Stage of the IS life cycle | Vulnerability category |
|---|---|
| | |
| Design | Design vulnerabilities |
| Implementation | Implementation vulnerabilities |
| Operation | Configuration vulnerabilities |
|
A similar classification (however, without explicit linking to the stages of the information system's life cycle) is provided in the section titled "A Taxonomy of Computer and Network Attacks" in John Howard's thesis [Howard1-97] and his subsequent publications on the topic [Howard1-98]. The above-mentioned thesis used the term "error" rather than the commonly accepted term "vulnerability." In subsequent work [Howard1-98], this term was replaced by "vulnerability," which is more correct. This classification is used in this book to describe security incidents.
Design Vulnerabilities
This type of vulnerability is the most serious, since such vulnerabilities are hard to detect and eliminate. In this case, the vulnerability is inherent to the project or algorithm and, therefore, even perfect implementation (which is practically impossible) can not eliminate this flaw. A typical example of such a vulnerability is the TCP/IP protocol-stack vulnerability. Since security requirements were underestimated when designing this protocol stack, new vulnerabilities in the TCP/IP protocol stack are detected and reported each month. Even worse, these drawbacks can not be eliminated once and for all — one can only take temporary or limited measures. However, there might be exceptions to this rule. Consider, for example, the project of a corporate network comprising a large number of modems that simplify the lives of employees but, at the same time, make the security personnel's tasks much more difficult. As a result of this flaw in design, several potential ways of bypassing the firewall may appear. If this occurs, such a vulnerability can be easily detected and eliminated.
Implementation Vulnerabilities
The idea of the vulnerabilities included in this category is based on the fact that an error is introduced into the hardware or software at the implementation stage of the project or algorithm, which, in terms of security, is accurate. Buffer overflow errors in implementations of most programs (for example, sendmail or Internet Explorer) represent typical examples of such a vulnerability. According to [Infosec1-01], 32% of all companies experience problems caused by buffer overflow. Vulnerabilities of this type are relatively easy to find and get rid of. If you do not have the source code of a vulnerable application, this vulnerability can be eliminated by upgrading software, or one can stop using it altogether.
| Problems with eBay Again | In April 2002, a dangerous vulnerability in the password protection system of the eBay site was reported. As a result, intruders could change the password of any registered eBay user and get full access to their accounts, including information on the bids, items being sold, and credit-card numbers. The most dangerous fact is that, in order to steal a user's account, there is no need to perform any sophisticated manipulations or use complex software tools, since this attack can be done by just a few easy manipulations with two eBay pages. As the eBay representative declared when answering questions for Newsbytes, the company knew about this vulnerability in January 2002 (!), and was considering various methods of eliminating this vulnerability. They promised to take actual measures by the end of summer, when they were due to update the security tools installed on the site. Until then, users had to trace suspicious changes to their accounts on their own. |
Configuration Vulnerabilities
The last reason that might cause vulnerabilities to appear involves software or hardware configuration errors. Along with implementation vulnerabilities, this type is the most common. For example, this category includes the Telnet service available, but not used, at the host, security rules that allow one to set "weak" passwords or passwords with less than 6 characters, default passwords left for built-in user accounts (such as SYSADM or DBSNMP for Oracle DBMS) and so on.
| Incorrect Configuration of the ICANN Switch | In April 2002, several vulnerabilities were detected in the computer network of the Internet Corporation for Assigned Names and Numbers (ICANN). In the first case, ICANN specialists detected that the switch that serviced the computer networks of the organization could be freely accessed. This vulnerability allowed anyone to change the switch settings using just a Web browser. In the second case, the source code and other information on the system used for processing the results of investigations of disputed domains could also be freely accessed. |
These vulnerabilities are the easiest to locate and eliminate (Table 2.2). The main problem in this case is determining if the configuration is vulnerable.
|
| Vulnerability category | Detection | Elimination |
|---|---|---|
| | ||
| Design vulnerabilities | Time-consuming and difficult | Time-consuming and difficult (sometimes simply impossible) |
| Implementation vulnerabilities | Relatively time-consuming and difficult | Easy, but might be time-consuming |
| Configuration vulnerabilities | Quick and easy | Quick and easy |
|
| Western Union Database Hacked | On September 8, 2000, Western Union reported that an unknown intruder had copied information from more than 15,700 of their clients' credit cards. According to their statement, it was human error that led to this mishap. Western Union representatives said that the intrusion took place in the course of regular maintenance work. During these operations, system files, which normally could only be accessed by administrators, were accessible to others as well. Western Union insisted that the success of this attack was due to human error rather than to a system security problem. In addition, the FBI states that the information was stolen from the Western Union database by Russian hackers Alexei Ivanov and Vasily Gorshkov, who were arrested in April 2001. |
According to statistics published in 1998 by SANS, the five most common vulnerability groups are as follows:
-
Network snooping, especially in order to steal passwords or other confidential information
-
Buffer overflow, which results in providing a hacker with the capability to run any command remotely
-
Security vulnerabilities of specific hosts, for example, CGI scripts vulnerabilities or sendmail errors
-
Denial of Service (DoS) attacks
-
Vulnerability to loading malicious code, which, besides viruses and Trojan horses, includes some Java applets and ActiveX control
One can easily notice that the "top five" includes vulnerabilities from all three categories. Password tracking is possible because of the lack of encryption mechanisms in standard Internet protocols (FTP, Telnet, POP3, HTTP, and so on). Buffer overflow, host vulnerabilities and vulnerabilities to DoS attacks can be classified as implementation vulnerabilities and configuration vulnerabilities. Finally, the possibility of loading malignant code falls into the configuration vulnerabilities group.
The most interesting fact is that the list of "top" vulnerabilities changes each year. This proves that the theory on the dynamic evolution of the network technologies is correct, and can be applied to those used in the field of information security [SANS1-01]. There are several reports intended to help security administrators in identifying the most dangerous security holes that must be eliminated first and as soon as possible. Investigations in this area are performed by ISS [ISS2-02], Riptech [Riptech1-02], SecurityTracker [SecurityTracker1-02], SecurityFocus [SecurityFocus1-02], and so on. However, the best-known and most trusted description of common attacks and vulnerabilities is done by the SANS Institute (http://www.sans.org) and the National Infrastructure Protection Center (http://www.nipc.gov), which, before June 25, 2001, published "The Top 10 Most Critical Internet Security Threats List". On October 1, 2001, a new project was launched, based on the Top10 project that was prematurely closed ("The Twenty Most Critical Internet Security Vulnerabilities"). In contrast to the Top 10, the Top 20 project was developed by SANS in cooperation with the FBI (http://www.fbi.gov). The steady growth in the number of reported vulnerabilities (especially after the events of September 11 and the epidemics of the Nimda and Red Code viruses) has resulted in doubling the number of vulnerabilities covered by the list. Further, the vulnerabilities listed in the document were subdivided into three classes:
-
Vulnerabilities common for all platforms
-
Windows-specific vulnerabilities
-
Unix-specific vulnerabilities
The Top 20 list is updated on a regular basis. At the time of writing, the latest update — version 2.504, from May 2, 2002 — was available for download at http://www.sans.org/top20.htm. I will not cover all 20 vulnerabilities, but rather will concentrate on the "top seven" security holes, characteristic for absolutely all systems:
-
"Default" installations of operating systems and applications
-
Accounts with no passwords or weak passwords
-
Non-existent or incomplete backups
-
Large number of open ports
-
Lack of packet filtering for incoming and outgoing traffic
-
Non-existent or incomplete logging
-
Vulnerable CGI scripts
EAN: 2147483647
Pages: 152