IT Security Trends

8/6/2019 IT Security Trends

1/44

Data Leak PreventionData leak prevention (DLP) is a suite of technologies

aimed at stemming the loss of sensitive information that

occurs in enterprises across the globe. By focusing on

the location, classification and monitoring of

information at rest, in use and in motion, this solution

can go far in helping an enterprise get a handle on what

information it has, and in stopping the numerous leaksof information that occur each day. DLP is not a plug-

and-play solution. The successful implementation of

this technology requires significant preparation and

diligent ongoing maintenance. Enterprises seeking to

integrate and implement DLP should be prepared for a

significant effort that, if done correctly, can greatly

reduce risk to the organization. Those implementing thesolution must take a strategic approach that addresses

risks, impacts and mitigation steps, along with

appropriate governance and assurance measures

RE: Trends in Security

I am writing a proposal for reconsidering hardware

controls over software controls, when such controls canbe made practical and usable. We need to return to the

discussions of the early 1980's, because we are now

seeing so many targeted viruses in environments that

cannot keep track of all changes to their code.


2/44

We need to ask operating systems vendors to harden

and stabilize their code, with a goal of eventually

having parts that will never need to change again.

We need hardware manufacturers to synchronize with

the operating systems vendors, to make sure that a

common set of device drivers can be permanent, and

that new features will be added that is segregated/apart

from the unchanging base.

We need software that maintains its layer integrity and

reliably fixes itself to it's own work area. We need a

temporary work area and data area strategy that can be

applied across platforms, but keeps software and data

separate and verifiable as secure.

We need to be able to reinstall software from scratch

easily, so as to eliminate unaccountable invading

malware apart from a base of accountable software.

And then, we need to use the EPROM to PROM

strategy to fix stable base of software as a solid

unchangeable base. This last part is what I am

proposing as the new solution to keep viruses from

invading online systems. Software as long as it is

changeable, is subject to viruses, but once it can be

fixed in place, then progress in anti-virus strategies can

again go forward. With some AV packages catching


3/44

only 18% of the malware, strategies from the 1980's

should again be considered.

Security Assessment

Security Compass offers a broad range of information

security assessment and remediation services to fit your

needs. Our world-class consultants bring years of

expertise and deep domain knowledge to all of our

offerings.

y Application Runtime Security Assessment Asattackers increasingly focus on exploiting software

vulnerabilities, insecure applications leave your

data at risk. Allow Security Compass to test your

applications from a hacker's perspective.

y Application Source Code Security Assessment Find vulnerabilities in the underlying source code

and know exactly what to fix. Source code review

is one of the most cost-effective methods of

finding vulnerabilities. Let our seasoned experts

assess the security of your source. Fulfill PCI DSS

Requirement 6.6.

y Threat Modelling Analyze your application'sdesign to find vulnerabilities before development.

Prioritize source code reviews and penetration

tests. We use our extensive experience in threat


4/44

modelling to bring security to the early phases of

development.

y SDLC Security Looking for a holistic approach to

building secure applications? We can help youenhance your existing software development life

cycle waterfall, agile, or proprietary to

include security.

y Network Security Assessments With simplepoint-and-click tools attackers can own your

network. How secure is your infrastructure? We'll

assess your network with a combination ofautomated and manual techniques from the

perspective of an expert hacker.

Other Enterprise Assessment Services

y Wireless Assessment Rouge access points and

insecure wireless protocols anywhere in yourfacility can expose confidential data. We can help

you determine if you have any wireless network

risks.

y Policy Assessment Information securitygovernance is critical to compliance with standards

like ISO27002, COBIT, and others. Our security

experts can assess your policies, procedures,standards, baselines, and guidelines for

compliance with common standards

-www.securitycompass.com


5/44

1. Session ReplicationLoad balancing is a must have for applications with a

large user base. While serving static content in this way

is relatively easy, challenges start to arise when yourapplication maintains state information across multiple

requests. There are many ways to tackle session

replication here are some of the most common:

Allow the client to maintain state so that servers dont

have to

Persist state data in the database rather than in server

memory Use application servers built-in session replication

technology

Use third party products, such as Terra-Cotta

Tying each session to a particular server by modifying

the session cookie

Out of these, maintaining state on the client is often the

easiest to implement. Unfortunately, this single decision

is often one the most serious you can make for the

security of any client-server application. The reason is

that clients can modify any data that they send to you.

Inevitably, some of the state data shouldnt be

modifiable by an end user such as a price for a product,

user permissions, etc. Without sufficient safeguards,

client-side state can leave your application open to

parameter manipulation at every transaction. Luckily,

some frameworks provide protection in the form of

client-side state encryption; however, as weve seen

with the recent Oracle Padding attacks, this method

isnt always foolproof and can leave you with a false


6/44

sense of security. Another technique involves hashing

and signing read-only state data (i.e. the parameters that

the client shouldnt modify), however trying to decide

which parameters should be modifiable and which onesshouldnt can be particularly time consuming often to

the point that developers just ignore it altogether when

deadlines become pressing. If you have the choice, elect

to maintain state on the server and use one of the many

techniques at your disposal to handle session

replication.

2. Authorization ContextMany senior developers and architects weve spoken to

understand that authorization is a challenging topic.

Enterprise applications often perform a basic level of

authorization: ensuring that the user has sufficient

access rights to view a certain page. The problem is that

authorization is a multi-layer, domain-specific problem

that you cant easily delegate to the application serveror access management tools. For example, an

accounting application user has access to the accounts

payable module but theres no server-side check to see

which accounts the user should be able to issue

payments for. Often the code that has sufficient context

to see a list of available accounts is so deep in the call

stack that it doesnt have any information about the enduser. The workarounds are often ugly: for example,

tightly coupling presentation & business logic such that

the application checks the list of accounts in a view

page where it does have context information about the


7/44

end user.

A more elegant solution is to anticipate the need for

authorization far into the call stack and design

appropriately. In some cases this means explicitlypassing user context several layers deeper than you

normally would; other approaches include having some

type of session / thread-specific lookup mechanism that

allows any code to access session-related data. The key

is to think about this problem upfront so that you dont

waste unnecessary time down the road trying to hack

together a solution. See our pattern-level securityanalysis of Application Controller for more details on

this idea.

3. Tags vs. Code in ViewsOver the years, most web application development

frameworks have made it practical to code entire

views/server-pages completely with tags. Dot Nets

ASPX or Javas JSF pages are examples of this.Building exclusively with tags can sometimes be

frustrating when you need to quickly add functionality

inside of a view and you dont have a ready-made tag

for that function at your disposal. Some architects and

lead developers impose a strict decision that all views

must be composed entirely of tags; other architects and

lead developers are more liberal in their approach.Inevitably the applications that allow developers to

write in-line coding (e.g. PHP, classic ASP, or

Scriptlets in Java) have an incredibly tough time

eradicating Cross Site Scripting. Rather than


8/44

augmenting tags with output encoding, developers need

to manually escape every form of output in every view.

A single decision can lead to tedious, error-prone work

for years to come. If you do elect to offer the flexibilityof one-off coding, make sure you use static analysis

tools to find potential exposures as early as possible.

4. Choice of Development FrameworkCall us biased, but we really believe that the framework

you choose will dramatically affect the speed at which

you can prevent and remediate security vulnerabilities.

Building anti-CSRF controls in Django is a matter ofturning on adding @csrf_protect to your view

method. In most Java frameworks you need to build

your own solution or use a third party library such as

OWASPs CSRFguard. Generally speaking, the more

security features built into the framework the less time

you have to spend adding these features into your own

code or trying to integrate third party components.Choosing a development framework that takes security

seriously will lead to savings down the road. The

Secure Web Application Framework Manifesto is an

OWASP project designed to help you make that

decision.

5.

Logging and Monitoring ApproachMost web applications implement some level of

diagnostic logging. From a design perspective,

however, it is important to leverage logging as a

measure of self defense rather than purely from a

debugging standpoint. The ability to detect failures and


9/44

retrace steps can go a long way towards first spotting

and then diagnosing a breach. Weve found that

security-specific application logging is not standardized

and, as a result, any security-relevant applicationlogging tends to be done inconsistently. When

designing your logging strategy, we highly recommend

differentiating security events from debugging or

standard error events to expedite the investigative

process in the event of compromise. We also

recommend using standard error codes for security

events in order to facilitate monitoring. OWASPsESAPI logging allows for event types to distinguish

security events from regular logging events. The

AppSensor project allows you to implement intrusion

detection and automated responses into your

application.

FOR ISSUES AND SOLUTIONS

http://www.isaca.org/KNOWLEDGE-

CENTER/RESEARCH/ISSUES/Pages/default.aspx

LATEST SECURITY ISSUES

Top Cyber Security Risks - Vulnerability Exploitation Trends

y Executive Summaryy Vulnerability Exploitation Trendsy Origin and Destination Analysis for 4 Key Attacksy Application vs. Operating System Patchingy Tutorial: HTTP Client-Side Exploitation Exampley Zero-Day Vulnerability Trendsy Best Practices in Mitigation and Controly HTTP Server Threats


10/44

September 2009

Application Vulnerabilities Exceed OS Vulnerabilities

During the last few years, the number of vulnerabilities being discovered in applications is far

greater than the number of vulnerabilities discovered in operating systems. As a result, more

exploitation attempts are recorded on application programs. The most "popular" applicationsfor exploitation tend to change over time since the rationale for targeting a particular

application often depends on factors like prevalence or the inability to effectively patch. Due

to the current trend of converting trusted web sites into malicious servers, browsers andclient-side applications that can be invoked by browsers seem to be consistently targeted.

Figure 1: Number of Vulnerabilities in Network, OS and Applications

Web Application Attacks

There appear to be two main avenues for exploiting and compromising web servers: brute

force password guessing attacks and web application attacks. Microsoft SQL, FTP, and SSH

servers are popular targets for password guessing attacks because of the access that is gained

if a valid username/password pair is identified. SQL Injection, Cross-site Scripting and PHP

File Include attacks continue to be the three most popular techniques used for compromising

web sites. Automated tools, designed to target custom web application vulnerabilities, make

it easy to discover and infect several thousand web sites.

Windows: Conficker/Downadup

Attacks on Microsoft Windows operating systems were dominated by Conficker/ Downadup

worm variants. For the past six months, over 90% of the attacks recorded for Microsoft

targeted the buffer overflow vulnerability described in the Microsoft Security Bulletin MS08-

067. Although in much smaller proportion, Sasser and Blaster, the infamous worms from

2003 and 2004, continue to infect many networks.


11/44

Figure 2: Attacks on Critical Microsoft Vulnerabilities (last 6 months)

Figure 3: Attacks on Critical Microsoft Vulnerabilities (last 6 months)

Apple: QuickTime and Six More

Apple has released patches for many vulnerabilities in QuickTime over the past year.

QuickTime vulnerabilities account for most of the attacks that are being launched againstApple software. Note that QuickTime runs on both Mac and Windows Operating Systems.

The following vulnerabilities should be patched for any QuickTime installations: CVE-2009-0007, CVE-2009-0003, CVE-2009-0957


12/44

Figure 4: Attacks on Critical Apple Vulnerabilities (la st 6 months)

Next Section: Origin and Destination Analysis for 4 Key Attacks

Origin and Destination Analysis for Four Key Attacks

Over the past six months, we have seen some very interesting trends when comparing the

country where various attacks originate to the country of the attack destination. In order to

show these results, we have characterized and presented the data in relation to the most

prevalent attack categories. The analysis performed for this report identified these attack

categories as high-risk threats to most if not all networks, and as such, should be at the

forefront of security practitioners' minds. These categories are Server-Side HTTP attacks,

Client-Side HTTP attacks, PHP Remote File Include, Cross-site Scripting attacks, and finallySQL Injection attacks. As you might expect, there is some overlap in these categories, withthe latter three being subsets of the first two categories. However, the trends we see in

separating this data is worth pointing out.

The SQL Injection attacks that compose this category include "SQL Injection using SELECTSQL Statement", "SQL Injection Evasion using String Functions", and "SQL Injection using

Boolean Identity". The most prominent "PHP Remote File Include attack" is one that looks

for a very small HTTP request that includes a link to another website as a parameter that

contains a very specific evasion technique used by a number of attacks to increase the

reliability of their attacks. Also of note is a very specific attack against the "Zeroboard PHP"

application, the only single application that made the top attacks. The final type of attack

included in these statistics is one of the more popular "HTTP Connect Tunnel" attacks, whichremains a staple in the Server-Side HTTP category. The HTTP connect tunnels are used for

sending spam emails via mis-configured HTTP servers.

Looking at the breakdown by country we see that the United States is by far the major attacktarget for the Server-Side HTTP attack category (Figure 5).


13/44

Figure 5: Server-Side HTTP Attacks by Destination Country (last 6 months)

For years, attack targets in the United States have presented greater value propositions for

attackers, so this statistic really comes as no surprise.

An interesting spike in Server-Side HTTP attacks occurred in July 2009. This was entirelydue to SQL Injection attacks using the SELECT command. Upon looking at the data, we saw

a massive campaign by a range of IP addresses located at a very large Internet ServerProvider (ISP). In this case, there were a number of machines located at a single collocation

site that may have all been compromised with the same vulnerability due to the machinesbeing at the same patch level. In addition, a number of gambling sites took part in this attack

which peaked after hours on July Fourth, a major holiday in the United States.


14/44

Figure 6: Server-Side HTTP Attacks (last 6 months)

Finally let's turn to the source of these HTTP Server-Side Attacks (Figure 7).

Figure 7: Server-Side HTTP Attacks by Source Country (last 6 months)

Here we see the United States as by far the largest origin, which is a pattern that hascontinued for some time. In many cases we believe these to be compromised machines that

are then being used for further nefarious purposes. The next four offenders on the HTTPServer-Side attacking countries list are Thailand, Taiwan, China, and the Republic of Korea.

They also show up in other portions of this report, so this graph will be a useful reference in

comparing some of the other attack categories and their relative magnitude.

The last six months have seen a lot of activity with SQL injection attacks. Some typical

patterns emerge with the United States being both the top source of and destination for SQLInjection events.

SQL Injection on the internet can more or less be divided into two sub-categories: LegitimateSQL Injection and Malicious SQL Injection. Many web applications on the Internet still use

"SQL Injection" for their normal functionality. It should be noted that this is only a differencein intent. The web applications that legitimately use SQL Injection are guaranteed to be

vulnerable to the tools and techniques used by attackers to perform Malicious SQL Injections.The servers that house these applications may have a higher compromise rate not only

because they are known to be vulnerable, but also because they need to distinguish betweenlegitimate and malicious injects to identify attacks.


15/44

Figure 8: SQL Injection Attacks by Destination Country (last 6 months)

Looking at the magnitude of these attacks broken down by month (Figure 9), we see the

large-scale SQL Injection campaign pointed out in the Server-Side HTTP Attack section.

A very large spike in SQL Injection attacks in July was caused mostly by an online advertiser

who distributed code to many affiliates using SQL injection as functionality. The application

was quickly pulled, resulting in a large drop in events for the month of August.

Figure 9: SQL Injection Attacks (last 6 months)


16/44

The source distribution of many of these attacks is much more diverse than the destination.China is now the single largest source outside of the United States. Again the overwhelming

destination for these events is in the United States. (Figure 10).

Figure 10: SQL Injection Attacks by Source Country (last 6 months)

In conclusion, we cannot overstate the importance of protecting DMZ-based web applications

from SQL Injection attacks. Increasingly, the ultimate objective of attackers is the acquisitionof sensitive data. While the media may consistently report attacker targets as being credit

cards and social security numbers, that is more due to the popular understanding of the

marketability of this data. They are not the only valuable data types that can be compromised.

Since SQL Injection attacks offer such easy access to data, it should be assumed that anyvaluable data stored in a database accessed by a web server is being targeted.

Although "PHP File Include" attacks have been popular, we have seen a notable decline in

the overall number of attacks that have taken place. With the exception of a major attacks

originating from Thailand in April, the number of PHP File Include attacks in August is less

than half the March/May average.

There are many ways to protect against these attacks. Apache configuration, input

sanitization, and network security equipment are all very good at deterring these attacks, so it

seems likely that the drop in total attacks is at least partly due to a positive response by

application developers, system administrators, and security professionals. However, due to

the extreme ease with which these attacks are carried out, and the enormous benefit of asuccessful attack (arbitrary PHP code is executed.), attacks such as these are likely to remain

popular for some time.


17/44

Figure 11: PHP Remote File Include Attacks (last 6 months)

Let us look at the sources of "PHP Remote File Include" attacks. A major attack campaign

was launched out of Thailand in April that caused Thailand to show up at number 1 in thislist.

Figure 12: PHP Remote File Include Attacks by Source Country (last 6 months)

Cross Site Scripting (XSS) is one of the most prevalent bugs in today's web applications.

Unfortunately, developers often fall in the trap of introducing XSS bugs while creating

custom code that connects all of the diverse web technologies that are so prevalent in today's

Web 2.0 world. Another very common "use" of XSS is by various advertisers' analytic

systems. For example, an advertiser's banner might be embedded in a web page which is set


18/44

up to reflect some JavaScript off of the advertiser's HTTP server for tracking purposes.However, in this case, there is little risk because the site in question (usually) has full control

over his/her page, so this request to the advertiser is not generally malicious. It is the"reflection" attacks, along with attacks that leverage flaws in form data handling, that make

up the vast majority of XSS attacks that we have seen in the last six months.

Figure 13: XSS Attacks by Source Country (last 6 months)

Attacks sourced from the United States have been on a steady decline month-over-month.

The Republic of Korea has seen a 50% reduction in the last 30 days. These two events

however have been offset by a sudden 20% increase in the last 30 days in attacks from

Australia. The other three major players, namely, Hong Kong, China and Taiwan haveremained stable over the past three month periods in this category.

Application Patching is Much Slower than

Operating System Patching

Qualys scanners collect anonymized data of detected vulnerabilities to capture the changing

dynamics in the vulnerability assessment field. The data documents changes such as the

decline of server side vulnerabilities and the corresponding rise of vulnerabilities on the client

side, both in operating system components and applications. A Top 30 ranking is used often

to see if major changes occur in the most frequent vulnerabilities found. Here is the rankingfor the first half of 2009 TH edited to remove irrelevant data points such as 0-dayvulnerabilities.

Description

1. WordPad and Office Text Converters Remote Code Execution Vulnerability (MS09-010)

2. Sun Java Multiple Vulnerabilities (244988 and others)


19/44

3. Sun Java Web Start Multiple Vulnerabilities May Allow Elevation ofPrivileges(238905)

4. Java Runtime Environment Virtual Machine May Allow Elevation of Privileges(238967)

5. Adobe Acrobat and Adobe Reader Buffer Overflow (APSA09-01)6. Microsoft SMB Remote Code Execution Vulnerability (MS09-001)7. Sun Java Runtime Environment GIF Images Buffer Overflow Vulnerability8. Microsoft Excel Remote Code Execution Vulnerability (MS09-009)9. Adobe Flash Player Update Available to Address Security Vulnerabilities (APSB09-

01)

10.Sun Java JDK JRE Multiple Vulnerabilities (254569)11.Microsoft Windows Server Service Could Allow Remote Code Execution (MS08-

067)

12.Microsoft Office PowerPoint Could Allow Remote Code Execution (MS09-017)13.Microsoft XML Core Services Remote Code Execution Vulnerability (MS08-069)14.Microsoft Visual Basic Runtime Extended Files Remote Code Execution

Vulnerability (MS08-070)15.Microsoft Excel Multiple Remote Code Execution Vulnerabilities (MS08-074)16.Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution

(MS09-028)

17.Microsoft Word Multiple Remote Code Execution Vulnerabilities (MS08-072)18.Adobe Flash Player Multiple Vulnerabilities (APSB07-20)19.Adobe Flash Player Multiple Security Vulnerabilities (APSB08-20)20.Third Party CAPICOM.DLL Remote Code Execution Vulnerability21.Microsoft Windows Media Components Remote Code Execution Vulnerability

(MS08-076)

22.Adobe Flash Player Multiple Vulnerabilities (APSB07-12)23.Microsoft Office Remote Code Execution Vulnerability (MS08-055)24.Adobe Reader JavaScript Methods Memory Corruption Vulnerability (APSA09-02

and APSB09-06)

25.Microsoft PowerPoint Could Allow Remote Code Execution (MS08-051)26.Processing Font Vulnerability in JRE May Allow Elevation of Privileges(238666)27.Microsoft Office Could Allow Remote Code Execution (MS08-016)28.Adobe Acrobat/Reader "util.printf()" Buffer Overflow Vulnerability (APSB08-19)29.Adobe Acrobat and Adobe Reader Multiple Vulnerabilities (APSB08-15)30.Windows Schannel Security Package Could Allow Spoofing Vulnerability (MS09-

007)

Table 1: Qualys Top 30 in H1 2009

Some of the vulnerabilities listed in the table get quickly addressed by IT administrators TH

vulnerabilities in the base operating system class, for example, show a significant drop ineven the first 15 days of their lifetime:


20/44

Figure 14: Microsoft OS Vulnerabilities

But at least half of the vulnerabilities in the list, primarily vulnerabilities found in

applications, receive less attention and get patched on a much slower timeline. Some of these

applications, such as Microsoft Office and Adobe Reader are very widely installed and so

expose the many systems they run on to long lived threats. The following graphs plot thenumber of vulnerabilities detected for Microsoft Office and Adobe Reader normalized to the

maximum number of vulnerabilities detected in the timeframe. Periodic drops in detection

rates occur during the weekends when scanning focuses on servers rather than desktop

machines and the detection rates of vulnerabilities related to desktop software fall

accordingly.

Figure 15: Microsoft PowerPoint and Adobe Vulnerabilities Patching Cycles

Attackers have long picked up on this opportunity and have switched to different types of

attacks in order to take advantage of these vulnerabilities, using social engineering techniques

to lure end-users into opening documents received by e-mail or by infecting websites with

links to documents that have attacks for these vulnerabilities embedded. These infecteddocuments are not only placed on popular web sites that have a large number of visitors, but

increasingly target the "long-tail", the thousands of specialized websites that have smaller but

very faithful audiences. By identifying and exploiting vulnerabilities in the ContentManagement Systems used by these sites, attackers can automate the infection process andreach thousands of sites in a matter of hours. Attacks using PDF vulnerabilities have seen a

large increase in late 2008 and 2009 as it became clear to attackers how easy it is to use thismethod of getting control over a machine.

Adobe Flash has similar problems with the applications of its updates TH there are four Flash

vulnerabilities in our Top 30 list that date back as far as 2007:


21/44

Figure 16: Flash Vulnerabilities

Flash presents additional challenges: it does not have its automatic update mechanism and

one needs to patch Internet Explorer in a separate step from other browsers. For users thathave more than one browser installed, it is quite easy to forget to completely close Flashvulnerabilities and continue to be unwillingly vulnerable.

One of the other software families that is high on the Top 30 list is Java, which is widely

installed for running Java applets in the common browsers and also increasingly for normalapplications. It is quite slow in the patch cycle, with actually increasing numbers of total

vulnerabilities as the introduction of new vulnerabilities outweighs the effect of patching.

Java has the additional problem that until recently new versions did not uninstall the older

code, but only pointed default execution paths to the new, fixed version; attack code could be

engineered to take advantage of the well-known paths and continue to use older and

vulnerable Java engines.

Figure 17: Sun Java Vulnerabilities


22/44

Zero-Day Vulnerability Trends

A zero-day vulnerability occurs when a flaw in software code is discovered and code

exploiting the flaw appears before a fix or patch is available. Once a working exploit of the

vulnerability has been released into the wild, users of the affected software will continue to

be compromised until a software patch is available or some form of mitigation is taken by the

user.

The "File Format Vulnerabilities" continue to be the first choice for attackers to conduct zero-

day and targeted attacks. Most of the attacks continue to target Adobe PDF, Flash Player andMicrosoft Office Suite (PowerPoint, Excel and Word) software. Multiple publicly available

"fuzzing" frameworks make it easier to find these flaws. The vulnerabilities are often foundin 3rd party add-ons to these popular and wide-spread software suites, making the patching

process more complex and increasing their potential value to attackers.

The notable zero-day vulnerabilities during past 6 months were:

y Adobe Acrobat, Reader, and Flash Player Remote Code Execution Vulnerability (CVE-2009-1862)

y Microsoft Office Web Components ActiveX Control Code Execution Vulnerability (CVE-2009-1136)

y Microsoft Active Template Library Header Data Remote Code Execution Vulnerability (CVE-2008-0015)

y Microsoft DirectX DirectShow QuickTime Video Remote Code Execution Vulnerability (CVE-2009-1537)

y Adobe Reader Remote Code Execution Vulnerability (CVE-2009-1493)y Microsoft PowerPoint Remote Code Execution Vulnerability (CVE-2009-0556)

The ease of finding zero-day vulnerabilities is a direct result of an overall increase in the

number of people having skills to discover vulnerabilities world-wide. This is evidenced by

the fact that TippingPoint DVLabs often receives the same vulnerabilities from multiple

sources.

For example, MS08-031 (Microsoft Internet Explorer DOM Object Heap Overflow

Vulnerability) was discovered independently by three researchers. The first researcher

submitted remote IE 6/7 critical vulnerability on Oct 22, 2007. A second independent

researcher submitted the same vulnerability on April 23, 2008. A third independent

researcher submitted the same vulnerability on May 19, 2008. All three submissions outlined

different approaches of auditing and finding the same vulnerability.

The implication of increasing duplicate discoveries is fairly alarming, in that the main

mitigation for vulnerabilities of this type is patching, which is an invalid strategy forprotecting against zero-day exploits. There is a heightened risk from cyber criminals, whocan discover zero-day vulnerabilities and exploit them for profit. Add to this that software

vendors have not necessarily lowered their average time for patching vulnerabilities reportedto them, and that TippingPoint is aware of a number of vulnerabilities that were reported to

vendors two years ago and are still awaiting a patch.

http://www.zerodayinitiative.com/advisories/upcoming/


23/44

This makes zero-day exploits in client-side applications one of the most significant threats toyour network, and requires that you put in place additional information security measures and

controls to complement your vulnerability assessment and remediation activities.

DEFENCE PRACTISES

These controls reflect the consensus of many of the nation's top cyber defenders and attackers

on which specific controls must be implemented first to mitigate known cyber threats.

One of the most valuable uses of this report is to help organizations deploying the Twenty

Critical Security Controls to be certain that no critical new attacks have been found thatwould force substantial changes in the Twenty Controls and at the same time to help people

who are implementing the Twenty Critical Security Controls to focus their attention on theelements of the controls that need to be completed most immediately.

The Key Elements of these attacks and associated Controls:

y User applications have vulnerabilities that can be exploited remotely,o Controls 2 (Inventory of Software), 3 (Secure Configurations), and 10

(Vulnerability Assessment and Remediation) can ensure that vulnerable

software is accounted for, identified for defensive planning, and remediated in

a timely manner. Control 5 (Boundary Defenses) can provide some

prevention/detection capability when attacks are launched.

y There is an increasing number of zero-days in these types of applications,o Control 12 (Malware Defenses) is the most effective at mitigating many of

these attacks because it can ensure that malware entering the network is

effectively contained. Controls 2, 3, and 10 have minimal impact on zero-day

exploits and Control 5 can provide some prevention/detection capabilities

against zero-days as well as known exploits.y Successful exploitation grants the attacker the same privileges on the network as the

user and/or host that is compromised,

o Control 5 (Boundary Defenses) can ensure that compromised host systems(portable and static) can be contained. Controls 8 (Controlled Use ofAdministrative Privileges) and 9 (Controlled Access) limit what access the

attacker has inside the enterprise once they have successfully exploited a userapplication.

y The attacker is masquerading as a legitimate user but is often performing actions thatare not typical for that user.

o Controls 6 (Audit Logs) and 11 (Account Monitoring and Control) can helpidentify potentially malicious or suspicious behavior and Control 18 (Incident

Response Capability) can assist in both detection and recovery from acompromise.

CRITICAL CONTROLS FOR PREVENTING ATTACKS

1. Inventory of Authorized and Unauthorized Devices

2. Inventory of Authorized and Unauthorized Software

3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers


24/44

4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

5. Boundary Defense

6. Maintenance, Monitoring, and Analysis of Security Audit Logs

7

7. Application Software Security

8. Controlled Use of Administrative Privileges

9. Controlled Access Based onNeed to Know

10. Continuous Vulnerability Assessment and Remediation

11. Account Monitoring and Control

12. Malware Defenses

13. Limitation and Control ofNetwork Ports, Protocols, and Services

14. Wireless Device Control

15. Data Loss Prevention

Insider Threats vs. Outsider Threats

A quick review of the critical controls may lead some readers to think that they are heavily

focused on outsider threats and may, therefore, not fully deal with insider attacks. In reality,

the insider threat is well covered in these controls in two ways. First, specific controls suchas

maintenance of security audit logs, control of administrative privileges, controlled access

based

on need to know, data loss prevention, and effective incident response all directly address

the

key ways that insider threats can be mitigated. Second, the insider and outsider threats

sometimes merge as outsiders penetrate security perimeters and effectively become

insiders.

All of the controls that limit unauthorized access within the organization work to mitigate

both

insider and outsider threats. It is important to note that these controls are meant to dealwith

multiple kinds of computer attackers, including but not limited to malicious internal

employees

and contractors, independent individual external actors, organized crime groups, terrorists,

and

nation state actors, as well as mixes of these different threats. While these controls are

designed to provide protection against each of these threats, very sophisticated, well -

funded.

Critical Control 1: Inventory of Authorized and

Unauthorized DevicesHow do attackers exploit the lack of this control?

Many criminal groups and nation states deploy systems that continuously scan address

spaces

of target organizations waiting for new, unprotected systems to be attached to the network.

The attackers also look for laptops not up to date with patches because they are not

frequently

connected to the network. One common attack takes advantage of new hardware that is


25/44

installed on the network one evening and not configured and patched with appropriate

security

updates until the following day. Attackers from anywhere in the world may quickly find and

exploit such systems that are Internet-accessible. Furthermore, even for internal network

systems, attackers who have already gained internal access may hunt for and compromise

additional improperly secured internal computer systems. Some attackers use the local

nighttime window to install backdoors on the systems before they are hardened.

Additionally, attackers frequently look for experimental or test systems that are briefly

connected to the network but not included in the standard asset inventory of an

organization.

Such experimental systems tend not to have as thorough security hardening or defensive

measures as other systems on the network. Although these test systems do n ot typically

hold

sensitive data, they offer an attacker an avenue into the organization, and a launching point

for

deeper penetration.

How can this control be implemented, automated, and its effectiveness

measured?An accurate and up-to-date inventory, controlled by active monitoring and configuration

management, can reduce the chance of attackers finding unauthorized and unprotected

systems to exploit.

1. QW: Deploy an automated asset inventory discovery tool and use it to build a

preliminary asset inventory of systems connected to the enterprise network. Both

active tools that scan through network address ranges, and passive tools that identify

hosts based on analyzing their traffic should be employed.

2. Vis/Attrib: Maintain an asset inventory of all systems connected to the network and the

network devices themselves, recording at least the network addresses, machine

name(s), purpose of each system, an asset owner responsible for each device, and the

department associated with each device. The inventor y should include every systemthat has an IP address on the network, including, but not limited to desktops, laptops,

servers, network equipment (routers, switches, firewalls, etc.), printers, Storage Area

Networks, Voice-over-IP telephones, etc.

3. Vis/Attrib: Ensure that network inventory monitoring tools are operational and

continuously monitoring, keeping the asset inventory up to date on a real -time basis,

12

looking for deviations from the expected inventory of assets on the network, and

alerting security and/or operations personnel when deviations are discovered.

4. Config/Hygiene: Secure the asset inventory database and related systems, ensuring that

they are included in periodic vulnerability scans and that asset information is encrypted.

Limit access to these systems to authorized personnel only, and carefully log all suchaccess. For additional security, a secure copy of the asset inventory may be kept in an

off-line system air-gapped from the production network.

5. Config/Hygiene: In addition to a n inventory of hardware, organizations should develop

an inventory of information assets, which identifies their critical information, and maps

critical information to the hardware assets (including servers, workstations, and laptops)

on which it is locate d. A department and individual responsible for each information

asset should be identified, recorded, and tracked.


26/44

6. Config/Hygiene: To evaluate the effectiveness of automated asset inventory tools,

periodically attach several hardened computer systems not already included in asset

inventories to the network and measure the delay before each device connection is

disabled or the installers confronted.

7. Advanced: The organizations asset inventory should include removable media devices,

including USB tokens, external hard drives, and other related information storage

devices.

Associated NIST SP 800-53 Rev 3 Priority 1 Controls:

CM-8 (a, c, d, 2, 3, 4), PM -5, PM-6

Procedures and tools for implementing and automating this control:

Organizations must first establish information owners and asset owners, deciding and

documenting which organizations and individuals are responsible for each component of

information and device. Some organizations maintain asset inventories using specific

largescale

enterprise commercial products dedicated to the task or they use free solutions to track

and then sweep the network periodically for new assets connected to the network. In

particular, when effective organizations acquire new systems, they record the owner and

features of each new asset, including its network interface MAC address, a unique identifierhard-coded into most network interface cards and devices.This mapping of asset attributes

and owner-to-MAC address can be stored in a free or commercial database management

system.

Then, with the asset inventory assembled, many organizations use tools to pull information

from network assets such as switches and routers regarding the machines connected to the

network. Using securely authenticated and encrypted network management protocols, tools

can retrieve MAC addresses and other information from network devices that can be

reconciled

with the organizations asset inventory of servers, workstations, laptops, and other devices.

13

Going further, effective organizations configure free or commercial network scanning toolsto

perform network sweeps on a regular basis, such as every 12 hours, sending a variety of

different packet types to identify devices connected to the network. Before such scanning

can

take place, organizations should verify that they have adequate bandwidth for such periodic

scans by consulting load history and capacities for their networks. In conducting inventory

scans, scanning tools could send traditional ping packets (ICMP Echo Request), looking fo r

ping

responses to identify a system at a given IP address. Because some systems block inbound

ping

packets, in addition to traditional pings, scanners can also identify devices on the networkusing

TCP SYN or ACK packets. Once they have identified IP addresses of devices on the network,

some scanners provide robust fingerprinting features to determine the operating system

type

of the discovered machine.

In addition to active scanning tools that sweep the network, other ass et identification tools

passively listen on network interfaces looking for devices to announce their presence by


27/44

sending traffic. Such passive tools can be connected to switch span ports at critical places in

the network to view all data flowing through su ch switches, maximizing the chance of

identifying systems communicating through those switches.

Wireless devices (and wired laptops) may periodically join a network and then disappear

making the inventory of currently available systems churn significantly. Likewise, virtual

machines can be difficult to track in asset inventories when they are shut down or paused,

because they are merely files in some host machines file system. Additionally, remote

machines accessing the network using VPN technology may appear on the network for a

time,

and then be disconnected from it. Each machine, whether physical or virtual, directly

connected to the network or attached via VPN, currently running or shut down, should be

included in an organizations asset inventory.

To evaluate the effectiveness of the asset inventory and its monitoring, an organization

should

connect a fully patched and hardened machine to the network on a regular basis, such as

monthly, to determine whether that asset appears as a new item in the networ k scan, the

automated inventory, and/or asset management database.

Sandia National Labs takes the inventory a step further by requiring the name and contact

information of a system administrator responsible for each element in its inventory. Such

information provides near instantaneous access to the people in a position to take action

when

a system at a given IP address is found to have been compromised.

Critical Control 2: Inventory of Authorized andUnauthorized SoftwareHow do attackers exploit the lack of this control?14

Computer attackers deploy systems that continuously scan address spaces of target

organizations looking for vulnerable versions of software that can be remotely exploited.

Some

attackers also distribute hostile web pages, document files, media files, and other content

via

their own web pages or otherwise trustworthy third-party sites. When unsuspecting victims

access this content with a vulnerable browser or other client-side program, attackers

compromise their machines, often installing backdoor programs and bots that give the

attacker

long-term control of the system. Some sophisticated attackers may use zero-day exploits,

which take advantage of previously unknown vulnerabilities for whi ch no patch has yet been

released by the software vendor. Without proper knowledge or control of the software

deployed in an organization, defenders cannot properly secure their assets.

Without the ability to inventory and control which programs are instal led and allowed to

run on

their machines, enterprises make their systems more vulnerable. Such poorly controlled

machines are more likely to be either running software that is unneeded for business

purposes,

introducing potential security flaws, or running malware introduced by a computer attacker

after system compromise. Once a single machine has been exploited, attackers often use it

as a


28/44

staging point for collecting sensitive information from the compromised system and from

other

systems connected to it. In addition, compromised machines are used as a launching point

for

movement throughout the network and partnering networks. In this way, attackers may

quickly turn one compromised machine into many. Organizations that do not have complete

software inventories are unable to find systems running vulnerable or malicious software to

mitigate problems or root out attackers.

How can this control be implemented, automated, and its effectivenessmeasured?

1. QW: Devise a list of authorized software that is required in the enterprise for each type

of system, including servers, workstations, and laptops of various kinds and uses.

2. Vis/Attrib: Deploy software inventory tools throughout the organization covering each

of the operating system types in use, including s ervers, workstations, and laptops. The

software inventory system should track the version of the underlying operating system

as well as the applications installed on it. Furthermore, the tool should record not only

the type of software installed on each system, but also its version number and patch

level. The tool should also monitor for unauthorized software installed on eachmachine. This unauthorized software also includes legitimate system administration

software installed on inappropriate systems where there is no business need for it.

3. Config/Hygiene: To evaluate the effectiveness of automated software inventory tools,

periodically install several software updates and new packages on hardened control

machines in the network and measure the delay before the software inventory indicates

the changes. Such updates should be chosen for the control machines so that they do

not negatively impact production systems on the network.

4. Advanced: Deploy software white-listing technology that allows systems to run only

approved applications and prevents execution of all other software on the system.

15

Associated NIST SP 800-53 Rev 3 Priority 1 Controls:CM-1, CM-2 (2, 4, 5), CM-3, CM-5 (2, 7), CM-7 (1, 2), CM-8 (1, 2, 3, 4, 6), CM-9, PM-6, SA-6,

SA-7

Procedures and tools for implementing and automating this control:

Commercial software and asset inventory tools are widely available and in use in many

enterprises today. The best of these tools provide an inventory check of hund reds of

common

applications used in enterprises, pulling information about the patch level of each installed

program to ensure that it is the latest version and leveraging standardized application

names,

such as those found in CPE.

Features that implement whitelists and blacklists of programs allowed to run or blockedfrom

executing are included in many modern end -point security suites. Moreover, commercial

solutions are increasingly bundling together anti -virus, anti-spyware, personal firewall, and

host-based Intrusion Detection Systems and Intrusion Prevention Systems (IDS and IPS),

along

with software white listing and black listing. In particular, most endpoint security solutions

can


29/44

look at the name, file system location, and/or cryptographic hash of a given executable to

determine whether the application should be allowed to run on the protected machine.The

most effective of these tools offer custom whitelists and blacklists based on executable

path,

hash, or regular expression matching. Some even include a graylist function that allows

administrators to define rules for execution of specific programs only by certain users and at

certain times of day, and blacklists based on specific signatures.

Once software inventory and execution control products are deployed, they can be

evaluated

by attempting to run a black listed program or a program that is not on the whitelist. To test

whitelist or blacklist solutions, the organization can define a specific benign executable for

which the blacklist or whitelist would block execution, such as a simple benign single EXE

file.

They can then attempt to run the program and test whether execution is blocked and

whether

an alert is generated.

Critical Control 3: Secure Configurations for Hardware andSoftwareon Laptops, Workstations, and ServersHow do attackers exploit the lack of this control?

On both the Internet and internal networks that attackers have already compromised,

automated computer attack programs constantly search target networks looking for

systems

that were configured with vulnerable software installed the way it was delivered from

manufacturers and resellers, thereby being immediately vulnerable to exploitation. Default

configurations are often geared to ease -of-deployment and ease-of-use and not security,

16

leaving some systems exploitable in their default state. Attackers attempt to exploit bothnetwork-accessible services and browsing client software using such techniques.

Defenses against these automated exploits include procuring computer and network

components with the secure configurations already implemented, deploying such

preconfigured

hardened systems, updating these configurations on a regular basis, and tracking

them in a configuration management system.


measured?

1. QW: System images must have documented security settings that are tested before

deployment, approved by an agency change control board, and registered with a central

image library for the agency or multiple agencies.T

hese images should be validated andrefreshed on a regular basis (such as every six months) to update their security

configuration in light of recent vulnerabilities and attack vectors.

2. QW: Standardized images should represent hardened versions of the underlying

operating system and the applications installed on the system, such as those released by

NIST, NSA, DISA, the Center for Internet Security (CIS), and others. This hardening

would typically include removal of unnecessary accounts, as well as the disabling or

removal of unnecessary services. Such hardening also involves, among other measures,

applying patches, closing open and unused network ports, implementing intrusion


30/44

detection systems and/or intrusion prevention systems, and hos t-based firewalls.

3. QW: Any deviations from the standard build or updates to the standard build should be

documented and approved in a change management system.

4. QW: Government agencies should negotiate contracts to buy systems configured

securely out of the box using standardized images, which should be devised to avoid

extraneous software that would increase their attack surface and susceptibility to

vulnerabilities.

5. QW: The master images themselves must be stored on securely configured servers, wi th

integrity checking tools and change management to ensure only authorized changes to

the images are possible. Alternatively, these master images can be stored in off-line

machines, air-gapped from the production network, with images copied via secure

media to move them between the image storage servers and the production network.

6. Config/Hygiene: At least once per month, run assessment programs on a varying sample

of systems to measure the number that are and are not configured according to the

secure configuration guidelines.

7. Config/Hygiene: Utilize file integrity checking tools on at least a weekly basis to ensure

that critical system files (including sensitive system and application executables,

libraries, and configurations) have not been altered. All alterations to such files should

be automatically reported to security personnel.The reporting system should have the

ability to account for routine and expected changes, highlighting unusual or unexpected

alterations.

17

8. Config/Hygiene: Implement and test an automated configuration monitoring system

that measures all secure configuration elements that can be measured through remote

testing, using features such as those included with SCAP -compliant tools to gather

configuration vulnerability inform ation. These automated tests should analyze both

hardware and software changes, network configuration changes, and any other

modifications affecting security of the system.

9. Config/Hygiene: Provide senior executives with charts showing the number of syst emsthat match configuration guidelines versus those that do not match, illustrating the

change of such numbers month by month for each organizational unit.


CM-1, CM-2 (1, 2), CM-3 (b, c, d, e, 2, 3), CM -5 (2), CM-6 (1, 2, 4), CM -7 (1), SA-1 (a), SA-4

(5), SI-

7 (3), PM-6

Procedures and tools for implementing this control:

Organizations can implement this control by developing a series of images and secure

storage

servers for hosting these standard images . Then, commercial and/or free configuration

management tools can be employed to measure the settings of managed machinesoperating

system and applications to look for deviations from the standard image configurations used

by

the organization. Some configuration management tools require that an agent be installed

on

each managed system, while others remotely login to each managed machine using


31/44

administrator credentials. Either approach or combinations of the two approaches can

provide

the information needed for this control.

Critical Control 4: Secure Configurations for NetworkDevices such as

Firewalls, Routers, and SwitchesHow do attackers exploit the lack of this control?

Attackers take advantage of the fact that network devices may become less securely

configured

over time as users demand exceptions for specific and temporary business needs, the

exceptions are deployed, and those exceptions are not undone when the business need is

no

longer applicable. Making matters worse, in some cases, the security risk of the exception is

never properly analyzed, nor is this risk measured against the associated business need.

Attackers search for electronic holes in firewalls, routers, and switches and u se those to

penetrate defenses. Attackers have exploited flaws in these network devices to gain access

totarget networks, redirect traffic on a network (to a malicious system masquerading as a

trusted

system), and to intercept and alter information while in transmission. Through such actions,

18

the attacker gains access to sensitive data, alters important information, or even uses one

compromised machine to pose as another trusted system on the network.


measured?

1. QW: Compare firewall, router, and switch configuration against standard secure

configurations defined for each type of network device in use in the organization.The

security configuration of such devices should be documented , reviewed, and approvedby an agency change control board. Any deviations from the standard configuration or

updates to the standard configuration should be documented and approved in a change

control system.

2. QW: At network interconnection points, such as Internet gateways, inter-agency

connections, and internal network segments with different security controls, implement

ingress and egress filtering to allow only those ports and protocols with a documented

business need. All other ports and protocols b esides those with an explicit need should

be blocked with default-deny rules by firewalls, network-based IPSs, and/or routers.

3. QW: Network devices that filter unneeded services or block attacks (including firewalls,

network-based Intrusion Prevention Sy stems, routers with access control lists, etc.)

should be tested under laboratory conditions with each given organizationsconfiguration to ensure that these devices exhibit failure behavior in a closed/blocking

fashion under significant loads with traffi c including a mixture of legitimate, allowed

traffic for that configuration intermixed with attacks at line speeds.

4. Config/Hygiene: All new configuration rules beyond a baseline -hardened configuration

that allow traffic to flow through network security devices, such as firewalls and

network-based IPSs, should be documented and recorded in a configuration

management system, with a specific business reason for each change, a specific

individuals name responsible for that business need, and an expected duration of the


32/44

need. At least once per quarter, these rules should be reviewed to determine whether

they are still required from a business perspective. Expired rules should be removed.

5. Config/Hygiene: Network filtering technologies employed between networks with

different security levels (firewalls, network-based IPS tools, and routers with ACLs)

should be deployed with capabilities to filter IPv6 traffic. Even if IPv6 is not explicitly

used on the network, many operating systems today ship with IPv6 support activated,

and therefore filtering technologies need to take it into account.

6. Config/Hygiene: Network devices should be managed using two-factor authentication

and encrypted sessions. Only true two-factor authentication mechanisms should be

used, such as a password and a hardware token, or a password and biometric device.

Requiring two different passwords for accessing a system is not two -factor

authentication.

7. Advanced: The network infrastructure should be managed across network connections

that are separated from the business use of that network, relying on separate VLANs or

preferably relying on entirely different physical connectivity for management sessions

for network devices.19

Associated NIST SP 800-53 Rev 3 Priority 1 Controls:AC-4 (7, 10, 11, 16), CM -1, CM-2 (1), CM-3 (2), CM-5 (1, 2, 5), CM-6 (4), CM-7 (1, 3), IA-2 (1,

6),

IA-5, IA-8, RA-5, SC-7 (2, 4, 5, 6, 8, 11, 13, 14, 18), SC -9


Port scanners and most vulnerability scanning tools can be used to attempt to launch

packets

through the device, measuring all TCP and UDP ports allowed through. This measures the

effectiveness of the filters configuration and implementation. A sniffer can be set up on the

other side of the filtering device to determine which packets are allowed through, and

which

are blocked. The results of the test can be matched against the list of traffic t ypes andnetwork

services that should be allowed through the device both inbound and outbound according

to

policy (defined by the documented business needs for each allowed service), thereby

identifying misconfigured filters. Such measurement should be con ducted at least every

quarter, and also when significant changes are made to firewall rule sets and router access

control lists.

Going further, some organizations use commercial tools that evaluate the rule set of

network

filtering devices to determine whe ther they are consistent or in conflict, providing an

automated sanity check of network filters and search for errors in rule sets or ACLs that mayallow unintended services through the device. Such tools should be run each time significant

changes are made to firewall rule sets, router ACLs, or other filtering technologies.

Critical Control 5: Boundary DefenseHow do attackers exploit the lack of this control?

Attackers focus on exploiting systems that they can reach across the Internet, which include

not

only DMZ systems, but also workstation and laptop computers that pull content from the


33/44

Internet through network boundaries. Threats such as organized crime groups and nation

states use configuration and architectural weaknesses found on perimeter systems, network

devices, and Internet-accessing client machines to gain initial access into an organization.

Then,

with a base of operations on these machines, attackers often pivot to get deeper inside the

boundary to steal or change information or to set up a pe rsistent presence for later attacks

against internal hosts. Additionally, many attacks occur between business partner networks,

sometimes referred to as extranets, as attackers hop from one organizations network to

another, exploiting vulnerable systems o n extranet perimeters.

To control the flow of traffic through network borders and to police its content looking for

attacks and evidence of compromised machines, boundary defenses should be multi -

layered,

20

relying on firewalls, proxies, DMZ perimeter networks, and network -based Intrusion

Prevention

Systems and Intrusion Detection Systems.

It should be noted that boundary lines between internal and external networks are

diminishing

through increased interconnectivity within and between organizations, as well as the rapid

rise

in deployment of wireless technologies.These blurring lines sometimes allow attackers to

gain

access inside networks while bypassing boundary systems. However, even with this blurring,

effective security deployments still rely on carefully configured boundary defenses that

separate networks with different threat levels, different sets of users, and different levels of

control. Even with the blurring of internal and external networks, effective m ulti-layered

defenses of perimeter networks help to lower the number of successful attacks, allowing

security personnel to focus on attackers who have devised methods to bypass boundary

restrictions.How can this control be implemented, automated, and its effectivenessmeasured?

The boundary defenses included in this control build on Critical Control 4, with these

additional

recommendations focused on improving the overall architecture and implementation of

both

Internet and internal network boundary points . Internal network segmentation is central to

this control because once inside a network, many intruders attempt to target the most

sensitive

machines. Usually, internal network protections are not set up to defend against an internal

attacker. Setting up even a basic level of security segmentation across the network andprotecting each segment with a proxy and a firewall will greatly reduce the intruders access

to

the other parts of the network.

1. QW: Organizations should deny communications with (or lim it data flow to) known

malicious IP addresses (blacklists) or limit access to trusted sites (whitelists).

Periodically, test packets from bogon source IP addresses should be sent into the

network to verify that they are not transmitted through network peri meters. Lists of


34/44

bogon addresses (unroutable or otherwise unused IP addresses) are publicly available

on the Internet from various sources, and indicate a series of IP addresses that should

not be used for legitimate traffic traversing the Internet.

2. QW: Deploy IDS sensors on Internet and extranet DMZ systems and networks that look

for unusual attack mechanisms and detect compromise of these systems.These IDS

sensors may detect attacks through the use of signatures, network behavior analysis, or

other mechanisms to analyze traffic.

3. QW: On DMZ networks, monitoring systems (which may be built -in to the IDS sensors or

deployed as a separate technology) should be configured to record at least packet

header information, and preferably full packet header and payloads of the traffic

destined for or passing through the network border.

4. Vis/Attrib: Define a network architecture that clearly separates internal systems from

DMZ systems and extranet systems. DMZ systems are machines that need to21

communicate with the internal network as well as the Internet, while extranet systems

are systems whose primary communication is with other systems at a business partner.

5. Vis/Attrib: Design and implement network perimeters so that all outgoing web, FTP, and

secure shell traffic to the Internet must pass through at least one proxy on a DMZ

network. The proxy should support logging individual TCP sessions; blocking specific

URLs, domain names, and IP addresses to implement a blacklist; and applying whitelists

of allowed sites that can be accessed through the proxy while blocking all other sites.

6. Vis/Attrib: Require all remote login access (including VPN, dial -up, and other forms of

access that allow login to internal systems) to use two-factor authentication.

7. Config/Hygiene: All devices remotely logging into the internal network should be

managed by the enterprise, with remote control of their configuration, installed

software, and patch levels.

8. Config/Hygiene: Organizations should periodically scan for back -channel connections to

the Internet that bypass the DMZ, including unauthorized VPN connections and dualhomed

hosts connected to the enterprise network and to other networks via wireless,dial-up modems, or other mechanisms.

9. Config/Hygiene: To limit access by an insider or malware spreading on an internal

network, organizations should devise internal network segmentation schemes to limit

traffic to only those services needed for business use across the internal network.

10. Config/Hygiene: Organizations should develop plans for rapidly deploying filters on

internal networks to help stop the spread of malware or an intruder.

11. Advanced: Organizations should force outbound traffic to the Internet through an

authenticated proxy server on the enterprise perimeter.

12. Advanced: To help identify covert channels exfiltrating data through a firewall, built -in

firewall session tracking mechanisms included in many commercial firewalls should be

configured to identify long-term TCP sessions that last an unusually long time for thegiven organization and firewall device, alerting personnel about the source and

destination addresses associated with these long -term sessions.


AC-17 (1), AC-20, CA-3, IA-2 (1, 2), IA-8, RA-5, SC-7 (1, 2, 3, 8, 10, 11, 14), SC -18, SI-4 (c, 1, 4,

5,

11), PM-7



35/44

One element of this control can be implemented using free or commercial IDSs and sniffers

to

look for attacks from external sources directed at DMZ and internal systems, as well as

attacks

originating from internal systems against the DMZ or Internet. Security personnel should

regularly test these sensors by launching vulnerability -scanning tools against them to verify

that

the scanner traffic triggers an appropriate alert. The captured packets of the IDS sensors

should be reviewed using an automated script each day to ensure that log volumes are

within

expected parameters and that the logs are formatted properly and have not been

corrupted.

22

Additionally, packet sniffers should be deployed on DMZs to look for HTTP traffic that

bypasses

HTTP proxies. By sampling traffic regularly, such as over a 3 -hour period once per week,

information security personnel search for HTTP traffic that is neither sourced by nor

destined

for a DMZ proxy, implying that the requirement for proxy use is being bypassed.

To identify back-channel connections that bypass approved DMZs, network security

personnel

can establish an Internet-accessible system to use as a receiver for testing outbound access.

This system is configured with a free or commercial packet sniffer. Then, security personnel

connect a sending test system to various points on the organizations in ternal network,

sending

easily identifiable traffic to the sniffing receiver on the Internet.These packets can be

generated using free or commercial tools with a payload that contains a custom file used for

the test. When the packets arrive at the receiver system, the source address of the packets

should be verified against acceptable DMZ addresses allowed for the organization. If sourceaddresses are discovered that are not included in legitimate, registered DMZs, more detail

can

be gathered by using a traceroute tool to determine the path packets take from the sender

to

the receiver system.

Critical Control 6: Maintenance, Monitoring, and AnalysisofAudit LogsHow do attackers exploit the lack of this control?

Deficiencies in security logging and analysis allow attackers to hide their location, malicioussoftware used for remote control, and activities on victim machines. Even if the victims

know

that their systems were compromised, without protected and complete logging records, the

victim is blind to the details of the attack and to the subsequent actions taken by the

attackers.

Without solid audit logs, an attack may go unnoticed indefinitely and the particular damages

done may be irreversible.

Sometimes logging records are the only evidence of a succes sful attack. Many organizations


36/44

keep audit records for compliance purposes but attackers rely on the fact that such

organizations rarely look at the audit logs so they do not know that their systems have been

compromised. Because of poor or non -existent log analysis processes, attackers sometimes

control victim machines for months or years without anyone in the target organization

knowing, even though the evidence of the attack has been recorded in unexamined log files.


measured?23

1. QW: Validate audit log settings for each hardware device and the software installed on

it, ensuring that logs include a date, timestamp, source addresses, destination

addresses, and various other useful elements of each packet and/or transaction.

Systems should record logs in a standardized format such as syslog entries or those

outlined by the Common Event Expression (CEE) initiative. If systems cannot generate

logs in a standardized format, deploy log n ormalization tools to convert logs into a

standardized format.

2. QW: Ensure that all systems that store logs have adequate storage space for the logs

generated on a regular basis, so that log files will not fill up between log rotation

intervals.3. QW: System administrators and security personnel should devise profiles of common

events from given systems, so that they can tune detection to focus on unusual activity,

avoid false positives, more rapidly identify anomalies, and prevent overwhelming

analysts with insignificant alerts.

4. QW: All remote access to an internal network, whether throughVPN, dial -up, or other

mechanism, should be logged verbosely.

5. QW: Operating systems should be configured to log access control events associated

with a user attempting to access a resource (e.g., a file or directory) without the

appropriate permissions.

6. QW: Security personnel and/or system administrators should run bi -weekly reports that

identify anomalies in logs. They should then actively review the anomalies,documenting their findings.

7. Vis/Attrib: Each agency network should include at least two synchronized time sources,

from which all servers and network equipment retrieve time information on a regular

basis, so that timestamps in logs are consistent.

8. Vis/Attrib:Network boundary devices, including firewalls, network -based IPSs, and

inbound and outbound proxies should be configured to log verbosely all traffic (both

allowed and blocked) arriving at the device.

9. Vis/Attrib: For all servers, organizations should ensure logs are written to write -only

devices or to dedicated logging servers running on separate machines from hosts

generating the event logs, lowering the chance that an attacker can manipulate logs

stored locally on compromised machines.10. Config/Hygiene: Organizations should periodically test the audit analysis process by

creating controlled, benign events in logs and monitoring devices and measuring the

amount of time that passes before the events are discovered and action is taken.

Ensure that a trusted person is in place to coordinate activities between the incident

response team and the personnel conducting such tests.

11. Advanced: Organizations should deploy a Security Event/Information Management

(SEIM) system tool for log aggregation and consolidation from multiple machines and


37/44

for log correlation and analysis. Deploy and monitor standard government scripts for

analysis of the logs, as well as using customized local scripts. Furthermore, event logs

should be correlated with information from vulnerability scans to fulfill two goals. First,

personnel should verify that the activity of the regular vulnerability scanning tools24

themselves is logged. And, secondly, personnel should be able to correlate attack

detection events with earlie r vulnerability scanning results to determine whether the

given exploit was used against a known -vulnerable target.


AC-17 (1), AC-19, AU-2 (4), AU-3 (1,2), AU-4, AU-5, AU-6 (a, 1, 5), AU-8, AU-9 (1, 2), AU-12

(2),

SI-4 (8)


Most free and commercial operating systems, network services, and firewall technologies

offer

logging capabilities. Such logging should be activated, with logs sent to centralized logg ing

servers. Firewalls, proxies, and remote access systems (VPN, dial -up, etc.) should all be

configured for verbose logging, storing all the information available for logging should afollowup

investigation be required. Furthermore, operating systems, esp ecially those of servers,

should be configured to create access control logs when a user attempts to access resources

without the appropriate privileges. To evaluate whether such logging is in place, an

organization should periodically scan through its logs and compare them with the asset

inventory assembled as part of Critical Control 1, to ensure that each managed item actively

connected to the network is periodically generating logs.

Analytical programs for reviewing logs can be useful, but the capabilities employed to

analyze

audit logs is quite wide-ranging, including just a cursory examination by a human. Actual

correlation tools can make audit logs far more useful for subsequent manual inspection bypeople. Such tools can be quite helpful in identifying subtle attacks. However, these tools

are

neither a panacea nor a replacement for skilled information security personnel and system

administrators. Even with automated log analysis tools, human expertise and intui tion are

often required to identify and understand attacks.

Critical Control 7: Application Software SecurityHow do attackers exploit the lack of this control?

Attacks against vulnerabilities in web-based and other application software have been a top

priority for criminal organizations in recent years. Application software that does not

properly

check the size of user input, fails to sanitize user input by filtering out unneeded butpotentially

malicious character sequences, or does not initialize and cle ar variables properly could be

vulnerable to remote compromise. Attackers can inject specific exploits, including buffer

overflows, SQL injection attacks, and cross-site scripting code to gain control over

vulnerable

machines. In one attack in 2008, more than 1 million web servers were exploited and turned25


38/44

into infection engines for visitors to those sites using SQL injection. During that attack,

trusted

websites from state governments and other organizations compromised by attackers were

used

to infect hundreds of thousands of browsers that accessed those websites. Many more web

and non-web application vulnerabilities are discovered on a regular basis.

To avoid such attacks, both internally developed and third -party application software must

be

carefully tested to find security flaws. For third -party application software, enterprises

should

verify that vendors have conducted detailed security testing of their products. For in -house

developed applications, enterprises must conduct such testing themselves or engage an

outside

firm to conduct such testing.

How can this control be implemented, automated, and its effectivenessmeasured?

1. QW: Organizations should protect web applications by deplo ying web application

firewalls that inspect all traffic flowing to the web application for common webapplication attacks, including but not limited to Cross -Site Scripting, SQL injection,

command injection, and directory traversal attacks. For application s that are not web

based, deploy specific application firewalls if such tools are available for the given

application type.

2. Config/Hygiene: Organizations should test in-house developed and third-party procured

web and other application software for codi ng errors and malware insertion, including

backdoors prior to deployment using automated static code analysis software. If source

code is not available, these organizations should test compiled code using static binary

analysis tools. In particular, input validation and output encoding routines of

application software should be carefully reviewed and tested.

3. Config/Hygiene: Organizations should test in-house developed and third-party procuredweb applications for common security weaknesses using automate d remote web

application scanners prior to deployment, whenever updates are made to the

application, and on a regular recurring basis, such as weekly.

4. Config/Hygiene: For applications that rely on a database, organizations should conduct a

configuration review of both the operating system housing the database and the

database software itself, checking settings to ensure that the database system has been

hardened using standard hardening templates.

5. Config/Hygiene: Organizations should verify that secur ity considerations are taken into

account throughout the requirements, design, implementation, testing, and other

phases of the application development life cycle of all applications.

6. Config/Hygiene: Organizations should ensure that all software development personnelreceive training in writing secure code for their specific development environment.

7. Config/Hygiene: Require that all in-house developed software include white-list filtering

capabilities for all data input and output associated with the system. These whitelists

should be configured to allow in or out only the types of data needed for the system,

blocking other forms of data that are not required.

26



39/44

CM-7, RA-5 (a, 1), SA-3, SA-4 (3), SA-8, SI-3, SI-10


Source code testing tools, web application security scanning tools, and object code testing

tools

have proven useful in securing application software, along with manual application security

penetration testing by testers who have extensive programming knowledge as well as

application penetration testing expertise.The Common Weakness Enumeration (CWE)

initiative is utilized by many such too ls to identify the weaknesses that they find.

Organizations

can also use CWE to determine which types of weaknesses they are most interested in

addressing and removing. A broad community effort to identify the Top 25 Most

Dangerous

Programming Errors is also available as a minimum set of important issues to investigate

and

address during the application development process. When evaluating the effectiveness of

testing for these weaknesses, the Common Attack Pattern Enumeration and Classification

(CAPEC) can be used to organize and record the breadth of the testing for the CWEs as well

as a

way for testers to think like attackers in their development of test c

Documents

IT Security Trends