Exposing The Future of Internet Security

[tonybradley]

In an article titled Exposing The Future of Internet Security , Robert Clyde said:

A review of the major blended threats from the past several years reveals an interesting trend: all of them targeted known vulnerabilities. And some of these had been well documented for six months or more before the threat was created. Today numerous known vulnerabilities present targets for the next generation of major blended threat attacks

and...

Three blended threats (namely Klez, Bugbear, and Opaserv) were the source of 80 percent of malicious code submissions to Symantec Security Response over the previous six months.

It seems from this data that while antivirus software is still and most likely always will be a required tool for defending your network, that proactively patching is more, or at least equally, important when it comes to protecting against the next great unknown threat.

If everyone would have patched their computers CodeRed, Nimda and other threats like that would not have had the impact they did. Recently the SQL Slammer worm crippled the Internet by utilizing a vulnerability for which a patch had been released more than 6 months prior.

Antivirus is great for blocking known threats, but it seems that when it comes to high impact new threats that proactive patching buys you more protection than antivirus software.

Thoughts?

[phishphreek]

If everyone would have patched their computers CodeRed, Nimda and other threats like that would not have had the impact they did. Recently the SQL Slammer worm crippled the Internet by utilizing a vulnerability for which a patch had been released more than 6 months prior.

From a "geek" POV... that is just common sense. Any good admin would have this under wraps... if not, they shouldn't be an admin.

Its the home users that you have to get this info out to. But what do they care??? As long as they can get on AOHell to chat and check their e-mail... they could care less about updating their AV, updating their OS and computer security all together. They don't think of it as keeping all the doors und windows open in a high crime rate area...

Many of the home users that I've helped or done work on their PCs have never updated their OS and didn't know that they had to update their AV. And they wonder why I find 5,679 files infected by a virus and get all pissed off. Some others simply don't want to wait 10-12 hrs to download a service pack on dial up. Think about this... a default XP or 2k box take more than 24hrs to completely download and update their OS on a "out of box" install. People simply don't want to tie up their lines, or wait that long just to find their connection terminated and have to start the DL all over again.

Home and end users should be forced/required to take a couple of computer courses before they are allowed to use or own their own computer. Much like them having to get a drivers license... </rant>

[scittish]

In theory, patching seems almost more important than Anti-virus. Unfortunately, with patching comes one problem...backward compatibality.

Simple patches, such as most of the Microsoft Hot-Fixes don't cause too many problems for most minor applications. However, when you start running massive applications, such as PeopleSoft and Blackboard, you can experience major problems after patching, especially full Service Packs. Major applications may require patching (sometimes many patches) of their own to be compatible with an OS patch. Additionally, patched application servers may not work with other non-patched servers. We ran into this problem (yes, with PeopleSoft) when I was in the education sector. Basically, your testing and patching on your developmental network took so long, that you could literally devote a few IT positions to just try to keep up.

I guess it really depends on your server and its functions. For most of us, running simple web servers and such, patching is just as important as anti-virus. But, with larger organizations with more servers that are more complicated, patching creates a MAJOR headache. Sometimes it's nice to be the little guy .

[King of CaveMen]

I agree completely with you Scittish, most home users don't care about anything as long as their email and surfing is fine.

[amazingzarkon]

I agree that the latest trends seem to indicate that the next "killer" threat will likely come in the form of a worm that has been designed to target one or more known vulnerabilities.

Nimda, Code Red, Sapphire/Slammer all followed this path, and they appear to be getting progressively worse. Notably Sapphire, which reached it's peak scan rate in really no time at all.

The thing is, that as seriously as these worms have impacted the Internet and enterprise networks I really don't think that they were as bad as they might've been. Sure they created tremendous headaches for a relatively short period of time - yet they really didn't do that much damage to infected systems. They weren't sneaky. They didn't contain a hostile payload. Imagine for a minute a worm that has the infection capabilities of a Sapphire that has been ratcheted down - so that it is spreading but it isn't creating DoS conditions wherever it goes. Instead it is spreading a small back door.... That's the kind of thing that might keep me up at night worrying.

The infection vectors are also getting scarier. Look again at Sapphire which spread itself to "secure" networks and wound up taking down airline reservation systems and bank ATMs. The entire Sapphire worm was an atomic (single packet) UDP worm. Travelling on a port that is generally required for SQL to communicate. This allowed it to spread more easily. Don't forget that some analysts (wish I had the article handy) have determined that Sapphire wasn't actually that efficient in its determination of addresses to scan.

Some of the recently announced Sendmail vulnerabilities give me the shakes when I start thinking about them. In case you missed it, there's exploit code for these vulnerabilities that has been floating around for over a month now. Sendmail is one of the most widely installed mail handling applications - I think I read that between 50-75% of all email is routed through a Sendmail server at some point...

Broadband SOHO type users I agree are a particularly troublesome bunch. Always-on relatively highspeed connections. File-sharing apps. Chat apps. Poor or no real security discipline. No real concept on patching and updating. It's a problem. Did anyone else read the stories in the past week of the huge botnets that they're watching? Do you have any idea of what 18k+ zombies can do in a DDoS attack? Not pretty. If you're a high-tech company or an e-commerce company or a company that is depending on an internet presence, what do you do when you are taken down by that kind of a distributed attack? It's just a matter of time before someone goes after Amazon or CNN and starts looking for a payoff to make the attack stop.

Yeah, maybe I do have too much of an imagination. Still I don't think any of these scenarios are outside the realm of possibility.

Even with these dark fears running through my head - I know for a fact that some patches are going to be applied quickly and some aren't. Some systems are going to be easily patched and some won't. Oddly enough it seems that the more high-value systems are less likely to be patched just because of the requirement for a high level of testing before deployment on these core systems. Part of the problem is tricky and/or custom code and system configuration. Another big part of the problem is that we've all been burned by the patch process in the past. It can be a very tough sell to some systems people that we need to put a patch on because we might be burned - particularly when the last patch they applied cost them uptime on a critical box.

I am a huge proponent of having the application developers and vendors do some freaking testing before rolling the next version out the door. Buffer overflows should be something that can be caught in the QA process - but QA is forsaken or foreshortened in the rush to get the next "dot-oh-one" out the user community. Why is this so hard? Do you know anyone who absolutely NEEDS to have Windows 2003 Server RIGHT NOW? Everyone I know would be very happy to run on Win2K for a year or two longer just to get the bugs out of 2003 Server. Many people won't consider a M$ OS until at least SP1 is released. What kind of mindeset is that? Where you expect there to be enough holes in the product that you expect a major patchset?

I'm tired and it's late. Sorry for the rambly rant.

Good night.

[scittish]

Tonybradley, I went an read that article. Thanks for posting it. Mr. Clyde did a good job on it. He did say a few things that really caught my attention:

Web services. In the coming years, we expect to see increased use of Web services (Java and .NET-based) by both enterprises and government agencies to manage supply chains and exchange business information. Appropriately targeted attacks on these systems could have severe repercussions to our economy.

This brief clearly outlines the necessity of responsible network administration (i.e. patching). Will there be security vulnerailities? Yes, of course. As long as there is software, and especially complex software, there will be security holes. You can only test things for so long. Eventually you have to put them in the real world because that is the only true test of a product. We need to develop some sort of accountability (I hate to ask for legislation) for institutions that do not properly maintain their computers. If an company does not fix hazards that arise in the workplace and maintain OSHA compliance, they can be held liable. Where's the accountability on the internet? If software companies release known, buggy code, or if they find out about a hole, but do not craete a patch, they need to be held accountable. Furthermore, and I think almost more importantly, if people using the software do not apply the patces or updates and their lack of diligence causes financial loss for someone else, they need to be held accountable. Yes, it's a big, nasty, complex matter, but eventually someone has to deal with it.

Solution(?): So what do we do, start teaching sixth graders to religously patch their systems and hope it has the same success as the anti-smoking and anti-pregnancy campaigns???

The next excert is just a side note:

Instant messaging (IM). We expect to see significant growth of IM in both the consumer and corporate space. In fact, IDC estimates the number of corporate IM users will grow to a whopping 300 million by 2005. While IM systems have the ability to fundamentally change the way we communicate and do business, many of today's implementations pose security challenges. Virtually all freeware IM systems lack encryption capabilities, and most have features to bypass traditional corporate firewalls, making it difficult for administrators to control their use inside an organization. Many of these systems have insecure password management and are vulnerable to account spoofing and denial-of-service attacks. Finally, IM systems meet all the criteria required to make them an ideal platform for rapidly spreading computer worms and blended threats: they are quickly becoming ubiquitous; they provide an able communications infrastructure; they have integrated directories that can be used to locate new targets (i.e., buddy lists); and they can, in many cases, be controlled by easy-to-write scripts.

Ouch. Can you imagine when Gator puts out an IM client? Even the mixing of ad-ware with IM is a scary thought. I would hate to see a virus that spreads through an IM client and actually carried a damaging payload. Especially if that virus slept, until it's creator needed something....or rather everything.

Lastly, from Amazingzarkon (nice post, BTW...good points):

Buffer overflows should be something that can be caught in the QA process - but QA is forsaken or foreshortened in the rush to get the next "dot-oh-one" out the user community. Why is this so hard? Do you know anyone who absolutely NEEDS to have Windows 2003 Server RIGHT NOW?

I think this has less to do with the people needing Win2K3 and more about Microsoft getting money for it. Patching Win2K and XP for the next 4 years isn't exactly generating money. Unfortunately, I think $$$ is forcing release of new software and not the software's necessity.

[sickyourIT]

Originally posted here by phishphreek80

Home and end users should be forced/required to take a couple of computer courses before they are allowed to use or own their own computer. Much like them having to get a drivers license... </rant>

Forcing home users to take a liscence course before using the internet is defeating the purpose of the home computer. My mom, who simply uses a computer to send and recieve pictures by email, as well as a little bit of googling, would be completely turned off to computers and incidentally technology. I used to work in retail, and most people get pissed off when they buy a computer if you don't come to their house, set it up, and teach their grandmother how to use the internet. Then they get pissed off if you don't have a book for them ...
"Don't you have like a 'computers for dummies' book?"
"Yes ma'am, we do. Unfortunately you haven't graduated to that category yet."

Sometimes I'm tempted just to sell them the fake computers we use to display the office furniture with, seeing as they will probably serve the same purpose for the person...

Regardless, your average home user considers the computer a mixture between a telephone and the tv. Communication and entertainment.

Phish, I realize that your just ranting. I'm somewhat agreeing with you. But i think ISP's, who know better, should actually take care of that stuff, or at least let them know what's going on. My gosh, If an ISP were to go so far as to send you a cdrom of computer updates as opposed to 2 free decades of their service, This world would be a better place.

[prana0777]

I agree completely with you Scittish and King of CaveMen
most home users only care about surfing site or IM or whateve they like to. They dont care about update security or patch etc,. When home users look at the monitor and it looks work then go surf or so.

patch is more important as anti virus. Anti virus only scan on hardware, software virus. patch is part of ISP.

I think this has less to do with the people needing Win2K3 and more about Microsoft getting money for it. Patching Win2K and XP for the next 4 years isn't exactly generating money. Unfortunately, I think $$$ is forcing release of new software and not the software's necessity.

I feel that some people or company will not buy Win 2k3 because they are very tired to spend another thousand dollar or million dollar for that. When it s leak or so. They have to update patch and service pack 1,2,3,4,5,6,7,8,9,10?? My opinion is all of companys and people will keep W2k for few years and wait to see what s up with w2k3. Most of home users love to use Win XP becuz wonderful graphic and beaituful graphic but suck for security. Like I said earlier "most home users only care about surfing site or IM or whateve they like to. They dont care about update security or patch etc,. When home users look at the monitor and it looks work then go surf or so. "

[IchNiSan]

Actually, the problem is not quite that simple. It may be for home users, but not for corporations which depend on the stability of their systems.

It is fine to say, everyone patch your systems, and things will be fine. You specifically mention the patch for the SQL worm, which was available months before the worm appeared, the problem with this is, that patch is SQL server service pack 3, which breaks things, as we found out in a test environment. Just do a newsgroup search for it, and see many tales of woe.

At my place we were told by the folks who write our accounting/timecard system, not to update to service pack 3. Because they say, not only would it create problems with their product, it would create lots of other problems as well, again we discovered this in a test environment, in adition to being told.

We were not hit by SQL Slammer, primarily due to well thought out network design, and security practices, despite the presence of an unpatched vulnerability. There is no reason in the world, why everyone on the internet needs access to port 1433 on your sql server, or any other port on your server for that matter, except for possibly smtp and http, maybe a few others. But access to specific things, like port 1433 should be confined to only those systems which must have access to it. Joe Schmoe msn dialup user certainly doesn't.

Of course, the reason we were ok, was because we knew about the vulnerability, understood its method of transmission, and insured that we were not vulnerable.

Fixing the problem requires more than just calling for everyone and their mother to patch their systems.

I agree, for a home user, that would probably prevent the vast majority of issues, at least as far as virii and worms, but for businesses, the problem is much more complex. Administrators need to be made aware of the issue, and learn some good security practices. Companies need to be liable if their lax security/patching causes damage somehow. This goes for end user companies, in addition to software producers who write insecure software.

[bballad]

We rely more on our firewall then patches to protect us....why well with all of the testing we *have* to do one every patch to make sure nothing breaks it can take weeks to months to roll a patch into production (and some patches can never get installed due to what they break).

A note on Slammer the *patch* was so difficult to install 6 months ago(it involved manually moving files, writing and running sql code agenst each instances ect.) that a lot of places never implemented it ...including microsoft it wasn't until slammer did its damage that they released a easy to install hotfix.