Technology Innovation and Adoption: Security Trends in a Changing

IBM Global Services

© Copyright IBM Corporation 2008

IBM Internet Security Systems™

Ahead of the threat®

Technology Innovation and Adoption:

Security Trends in a Changing World

IBM Internet Security Systems

© Copyright IBM Corporation 2009IBM Internet Security Systems X-Force Preemptive Pr otection

Vulnerabilities are at a High Plateau

■ 13.5% increase from 2007, totaling 7,406 new vulnerabilities

• From 2001-2006 the average annual growth was 36.5%, from 2006-2008 growth tapered to 2%

• Vulnerability disclosures appear to be reaching a permanently high plateau

■ June 2008 was the highest month for disclosures (692)

• Busiest week statistics are below• Tuesday remains busiest day of the week

for disclosures due to multiple vendor-released advisories



Vendors not Patching Vulnerabilities

■ 53% of all vulnerabilities disclosed in 2008 had no ven dor-supplied patches to remedy the vulnerability

• 44% of vulnerabilities from 2007 and 46% from 2006 still have no patches



Web App Vulnerabilities Continue to Rise

■ 54.9% of all vulnerabilities are Web application vulnerabilities

■ SQL injection attacks increased by 30x within the last six months

■ 74% of Web application vulnsdisclosed in 2008 had no patch by year end



Attackers Remotely Gain Access & Data■ 2008 marks the 3 rd straight year where the

percentage of remotely exploitable vulnerabilities has reached a record high

• Represented 90.2% of all vulns in 2008, up from 89.4% in 2007 and 88.4% in 2006

• Growing number of Web application vulnerabilities

■ “Gain access” remains the primary consequence of vulnerability exploitation

• “Data manipulation” percentages doubled



Hackers Target Unpatched PCs

■ PC vulnerabilities decreased overall for the first time in 2008, although some categories increased

• Document readers & editors increased 162%

• Multimedia applications were up by 127%

■ Web Browser vulnerabilities make up 52%

• Hackers rely on users not patching browsers



Exploits Hide in Documents like PDFs■ In addition to browser and ActiveX,

exploits hiding in documents (like PDFs) became much more significant in the last quarter of 2008

■ In 2008 China surpassed the US as being the largest source of malicious Web sites



■ Pre-packaged exploit toolkits with easy-to-use management interfaces are available to attackers

■ It is not known how many toolkit installations are actually purchased versus leased or pirated

■ 89% of public exploits were released on the same day or before the official vulnerability disclosure in 2008

■ Up from 79% in 2007

Exploits are Easy When you Have the Tools


© Copyright IBM Corporation 2009IBM Internet Security Systems X-Force Preemptive Pr otection9

Virtualization Vulnerabilities by Year

9

XFDB Search: VMware, Xen, Virtual PC, QEMU, Paralle ls, etc.CVE-1999-0733

“Buffer overflow in VMWare 1.0.1 for Linux via a long HOME environmental variable. Since VMWare is installed with binaries that are setuid root, local users can exploit the hole allowing for arbitrary code to be executed as root. The consequences are a local root compromise.”

CVECVE--19991999--07330733

“Buffer overflow in VMWare 1.0.1 for Linux via a long HOME environmental variable. Since VMWare is installed with binaries that are setuid root, local users can exploit the hole allowing for arbitrary code to be executed as root. The consequences are a local root compromise.”

CVE-2002-0814

“Buffer overflow in VMware Authorization Service for VMware GSX Server allows remote authenticated users to execute arbitrary code via a long GLOBAL argument. The code likely executes on the underlying, native system and may compromise the host entirely (including all virtual systems).”

CVECVE--20022002--08140814

“Buffer overflow in VMware Authorization Service for VMware GSX Server allows remote authenticated users to execute arbitrary code via a long GLOBAL argument. The code likely executes on the underlying, native system and may compromise the host entirely (including all virtual systems).”

CVE-2005-3618

“Cross-site request forgery (CSRF) vulnerability in the management interface for VMware ESX Server allows remote attackers to perform unauthorized actions as the administrator via URLs, as demonstrated using the setUsroperation to change a password.”

CVECVE--20052005--36183618

“Cross-site request forgery (CSRF) vulnerability in the management interface for VMware ESX Server allows remote attackers to perform unauthorized actions as the administrator via URLs, as demonstrated using the setUsroperation to change a password.”

CVE-2007-0948

“Heap-based buffer overflow in Microsoft Virtual PC 2004 and PC for Mac 7.1 and 7, and Virtual Server 2005 and 2005 R2, allows local guest OS administrators to execute arbitrary code on the host OS via unspecified vectors related to interaction and initialization of components."

CVECVE--20072007--09480948

“Heap-based buffer overflow in Microsoft Virtual PC 2004 and PC for Mac 7.1 and 7, and Virtual Server 2005 and 2005 R2, allows local guest OS administrators to execute arbitrary code on the host OS via unspecified vectors related to interaction and initialization of components."

CVE-2007-5906

“Xen 3.1.1 allows virtual guest system users to cause a denial of service (hypervisor crash) by using a debug register (DR7) to set certain breakpoints.”

CVECVE--20072007--59065906

“Xen 3.1.1 allows virtual guest system users to cause a denial of service (hypervisor crash) by using a debug register (DR7) to set certain breakpoints.”

CVE-2008-0923

“Directory traversal vulnerability in the Shared Folders feature for VMWareACE 1.0.2 and 2.0.2, Player 1.0.4 and 2.0.2, and Workstation 5.5.4 and 6.0.2 allows guest OS users to read and write arbitrary files on the host OS via a multibyte string that produces a wide character string containing .. (dot dot) sequences.”

CVECVE--20082008--09230923

“Directory traversal vulnerability in the Shared Folders feature for VMWareACE 1.0.2 and 2.0.2, Player 1.0.4 and 2.0.2, and Workstation 5.5.4 and 6.0.2 allows guest OS users to read and write arbitrary files on the host OS via a multibyte string that produces a wide character string containing .. (dot dot) sequences.”

IBM Global Services




Real Deep Packet Inspection:

Protocol Analysis Module

The X-Force Advantage



Why PAM?

� Many DPI solutions must remove protection as time prog resses in order to keep performance from degrading

� New technologies and techniques aren’t possible wit h a non-extensible solution

� Pattern matching is a very old technology and is reac tive in nature

– There must always be a ‘patient zero’

� Obfuscation is well practiced and easily done against pattern matching technologies

– This is especially simple when the signatures are open source and reviewable before the exploit is crafted



Protocol and Content Analysis as the Foundation

PAM is the engine behind the preemptive protection af forded by many of the solutions in the IBM Proventia product family.



Protocol/Content Analysis at ALL levels

IPv4

IPv6

TCP

HTTP

FTP

SMTP

Instant

Messenger

Content

Layer 8?

HTML

Javascript

GIF

WMF

JPG

XML

E-mail

Body

� Simulate the protocol/content stacks in the vulnera ble systems� Normalize at each protocol and content layer

� Ability to shim in new technologies and grow with n ot only evolving threats but additional market needs



Converging the Security PlatformA Holistic Security Architecture



IBM Virtual Patch Technology

� At the end of 2008, 53% of all vulnerabilities disclosed during the year had no vendor-supplied patches available to remedy the vulnerability

� Shielding a vulnerability from exploitation independent of a software patch

� Enables a responsible patch management process that can be adhered to without fear of a breach

� IBM is a MAPP (Microsoft Active Protections Program) partner



Yes, via rewrite

150 daysNov 13, 2007 Multimedia_File_Overflow

April 8, 2008 APSB08-11CVE-2007-0071

9.3 / 6.9X-ForceAdobe Flash Player Invalid Pointer Vulnerability

22 months

~ 5 yrs

240 days –present

1 year

Days Ahead of Threat

10/8.7

6.4 / 5.3

10 / 7.4

CVSS Base Score

Yes, drop packet

Yes, drop packet

Jan 8, 2007 SSM_List_BO

Aug 16, 2007 ICMP_Router_Advertisement_DOS

Jan 8, 2008 MS08-001 – CriticalCVE-2007-0066CVE-2007-0069

X-ForceMultiple (3) Microsoft Windows TCP/IP Remote Code Execution and DoSVulnerabilities

Block connection

Aug 8, 2006MSRPC_Srvcs_Bo

Oct 27, 2008MSRPC_Srvsvc_Path_Bo

Oct 23, 2008*MS08-067 – Critical CVE-2008-4250

In the wild*Microsoft Windows Server Service RPC Code Execution

Yes, Block connection

Yes, Drop Packet

Yes, drop packet

May 29, 2003HTTP_GET_SQL_UnionSelectNov 13, 2007 – July 17 2008DNS_Cache_PoisonAug 12, 2008DNS_Cache_Poison_Subdomain_Attack

July, 2008 (Several)2006 CVE-2008-1447

Dan KaminskiMultiple Vendors Vulnerable to DNS Cache Poisoning

Block by default?

ISS Protection ShippedVendor DisclosureDiscovered

by:Vulnerability

Ahead Of The Threat In 2008



Threat Detection and Prevention

The ability to detect and prevent entire classes of threats as opposed to a specific exploit or vulnerability:

� Provides a scalable solution instead of requiring constant signature updates� Obfuscation detection� Malmedia (Malicious Multimedia)

� New technologies adding value to our customers security investment� Shell Code Heuristics (SCH)� Injection Logic Engine (ILE)

� Researching and safeguarding immature areas of infrastructure� VoIP� SCADA



The SCH Advantage

� X-Force developed Shellcode Heuristics (SCH) to addr ess the attack payload regardless of the vulnerability

� It is proprietary to IBM X-Force� Available in all PAM-based products� Has an unbeatable track record of protecting agains t zero

day vulnerabilities:� More than 80% Microsoft Office 0day payload detection rate� Discovered multiple Internet Explorer vulnerabilities in-the-wild as

0days (in conjunction with MSS)• VML(MS06-055)• XML(MS06-071)

� Discovered and protected against numerous payloads in-the-wild relating to other web browser attacks since March 2006

� Incredibly low false positive rate – only 2 known false positives in 22 million mixed-media files in malware zoo



IBM Proventia Content Analyzer

Addressing Industry Challengesthrough Data Awareness:

� Monitors and identifies unencrypted personally identifiable information (PII) and other confidential information

� Provides capability to explore data flow through the network to help determine if any potential risks exist

� Flexible and scalable customized data search criteria

� Complement to data security strategy

� Create compound data-set search string inspection (e.g., name AND social_security_number AND User defined)



*Provides for inline inspection of attached files.

U.S.

Security Effectiveness | Data AwarenessIBM Proventia Content Analyzer



Web Application SecurityProtect web applications against sophisticated

application-level attacks such as:

� SQL (Structured Query Language) Injection

� XSS (Cross-site scripting)

� PHP (Hypertext Preprocessor) file-includes

� CSRF (Cross-site request forgery)

� Expands security capabilities to meet both compliance requirements and threat evolution

Web Threats Will BecomeIncreasingly Complex…

Web Protection Doesn’t Have To



The ILE (Injection Logic Engine) Advantage

� Injection attacks are typically made up of unique p atterns that are not commonly seen in valid web application requests

– By totaling and scoring these specific keywords and symbols, we can accurately detect and block SQL injection attacks

� Tracks an extremely comprehensive list of SQL keywo rds, operators, and symbols and correlates them based on valid SQL synt ax

– Parameter values will be evaluated and scored based on particular keywords and symbols that it may contain

– Parameter values that exceed the configurable scoring threshold should be considered SQL injection and the request blocked

– Flagging of particular combinations of classes of keywords can determine what type of SQL injection is occuring� query injection� store procedure execution� login bypass� blind sql injection



Network Policy Enforcement

Manage security policy and risks within defined segments of the network:

� ActiveX fingerprinting

� Peer To Peer

� Instant Messaging

� Tunneling

� Enforces network application and service access based on corporate policy and governance

IBM Global Services




Wrap Up



Converging threats force a change in our security mindset – and technology

� Thus protection technology effectiveness is reliant o n truly researching new approaches and must be a focus!!



X-Force Trends ReportThe IBM X-Force Trend Statistics Report provides statistical information about all

aspects of threats that affect Internet security,. Find out more at http://www-935.ibm.com/services/us/iss/xforce/trendreports/

X-Force Security Alerts and AdvisoriesOnly IBM X-Force can deliver preemptive security due to our unwavering

commitment to research and development and 24/7 global attack monitoring. Find out more at http://xforce.iss.net/

X-Force Blogs and FeedsFor a real-time update of Alerts, Advisories, and other security issues,

subscribe to the X-Force RSS feeds. You can subscribe to the X-Force alerts and advisories feed at http://iss.net/rss.php or the Frequency X Blog

at http://blogs.iss.net/rss.php

X- Force Threat Analysis ServiceStay up-to-date on the latest threats customized for your environment:http://www-935.ibm.com/services/us/index.wss/offering/iss/a1026943

For More IBM X-Force Security Leadership



X-Force Trends ReportThe IBM X-Force Trend Statistics Report provides statistical information about all

aspects of threats that affect Internet security,. Find out more athttp://www-935.ibm.com/services/us/iss/xforce/trendreports/

X-Force Security Alerts and AdvisoriesOnly IBM X-Force can deliver preemptive security due to our unwavering

commitment to research and development and 24/7 global attack monitoring. Find out more at http://xforce.iss.net/

X-Force Blogs and FeedsFor a real-time update of Alerts, Advisories, and other security issues,

subscribe to the X-Force RSS feeds. You can subscribe to the X-Force alerts and advisories feed at http://iss.net/rss.php or the Frequency X Blog

at http://blogs.iss.net/rss.php

X- Force Podcasts and WebcastsJoin IBM X-Force and Burton Group for a discussion on how new computing

technologies are driving increased risk in an web-centric world. Find out more athttp://www.kingfishmedia.net/emails/IBM/10.8_Xforce.html

For More IBM X-Force Security Leadership

IBM Global Services




Thank you!

The X-Force Advantage