News Article: Vulnerabilities Becoming More Common
Results 1 to 4 of 4

Thread: News Article: Vulnerabilities Becoming More Common

  1. #1
    Member
    Join Date
    Mar 2005
    Posts
    65

    News Article: Vulnerabilities Becoming More Common

    FYI - Just saw this at SC Magazine:

    Source: Vulnerabilities Becoming More Common

    Story:

    Vulnerabilities becoming more common
    by David Quainton

    Security experts are warning that exploits are becoming more common and more dangerous as they begin to affect security products as well as non-Microsoft software.
    The deluge of new vulnerabilities has forced security research group SANS to change its annual 'Top 20 Internet Security Vulnerabilities' list to a quarterly update. (As reported in SC Magazine here).

    "Threats are evolving faster than ever this year," said Gerhard Eschelbeck, CTO of Qualys. "We've had a mix of new vulnerabilities this year. Everyone has anti-virus and now even that is affected."

    More than 600 internet security vulnerabilities have emerged in the first quarter of 2005. In the early part of 2005 a trend for non-Microsoft (the traditional home of many) vulnerabilities has emerged. Holes in Apple's iTunes, CA licensing software and some anti-virus products have added to the scale of the list.

    To qualify for the new quarterly list, vulnerabilities must meet five requirements.

    (1) They affect a large number of users.
    (2) They have not been patched on a substantial number of systems.
    (3) They allow computers to be taken over by a remote, unauthorized user.
    (4) Sufficient details about the vulnerabilities have been posted to the Internet to enable attackers to exploit them.
    (5) They were discovered or first patched during the first three months of 2005.

    www.sans.org/top20/Q1-2005update
    www.qualys.com
    I did not find anything specific yet at SANS, but that could change in mere minutes or hours.

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    LOL. Did anyone really need an article to know this? If you haven't figured this out by now, then I know of a wonderful career waiting for you at McDonalds.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    Member
    Join Date
    Mar 2005
    Posts
    65
    Ola:

    LOL. Did anyone really need an article to know this? If you haven't figured this out by now, then I know of a wonderful career waiting for you at McDonalds.
    Well... maybe it was geared more for manager types. Heh.

    Since I had found one article in the genre of "stating the obvious" I thought - hey why not one more - and this one is an opinion.

    Source: LDAP - the heart of the secure organization

    Story:

    LDAP the heart of the secure organization
    by Ken Watt
    Single sign-on (SSO) has long been a holy grail for security teams in large complex organizations. But the obstacles in the way of its universal deployment have so far proved to be too great - in particular the challenge of interfacing and synchronizing data held in the various directories that larger companies typically deploy.

    These proprietary directories have traditionally been built around individual applications, which creates problems for anyone attempting to standardize or centralize user and application credentials.

    But things are looking up. The accelerating adoption of LDAP (Lightweight Directory Access Protocol is finally offering hope to beleaguered security managers who have been seeking to integrate multiple enterprise directories - and so facilitating SSO.

    Deploying LDAP across an entire organization can have significant benefits. Firstly, the problem of co-ordinating core directory data is solved. Users are given standardized access permissions that are defined by their role within the company. Authentication credentials can then be maintained centrally and referenced by a whole host of platforms and applications.

    In terms of security, the gains are enormous.

    Centralized and standardized administration enables effective management of user accounts across all platforms and applications. These can be easily updated throughout the employee's time at the company. Authorization processes and profiles can be managed and audited centrally, meaning that anomalies and abuses are identified more easily.

    Uniform authentication parameters can also be set. These can be matched against stronger credentials, like tokens, where necessary. Finally, monitoring is simplified so that any potential security incidents can easily be spotted and dealt with.

    But effective LDAP integration goes beyond centralising the three As of security; it can enhance the power of all networked applications. Single changes can be replicated across all directories and applications, which is far more efficient for both administrators and users. Users can also authenticate themselves with a single secure credential, which is far less prone to failure than a plethora of passwords and IDs.

    However if LDAP represents network nirvana, there is still some work ahead before we reach this particular paradise. Although there are growing numbers of enterprises that have embraced LDAP successfully, there are many others that are still wrestling with a multitude of platforms, applications and databases that don't offer an easy route to integration and standardization. Before we give in to the hype, we need to consider the practicalities.

    Take the example of a company with a significant Microsoft desktop and server community, many of which were running older operating systems that weren't LDAP compliant. Much of the desktop hardware was not up to running Windows 2000 or XP, in addition to a small but significant use of Apple Macs.

    Furthermore, the server mix included Windows, multiple flavors of UNIX and AS/400 thrown in for good measure. Core business applications were a combination of commercial off-the-shelf and home-grown products, with little LDAP awareness in either. Lotus Notes was used for email, PeopleSoft for HR: each with its own directory.

    A company such as this, which is not unusual, faces a number of choices when moving to an LDAP compliant system, with pros and cons on each side.

    The first option is a heterogeneous Microsoft environment, using MS's Active Directory at the core with its Identity Integration Server (MIIS) as a 'Meta Directory' add-on that integrates different directories. There may be cost advantages to following this route, but it doesn't necessarily cover all users and certainly not all servers and applications. It also remains an internally proprietary platform despite its external LDAP interface.

    The basic alternative is a core directory, external to Microsoft, with native LDAP integration and custom scripted connectors where required. A commercial LDAP directory, such as iPlanet, brings the advantage of supplier integration and support but at significant additional cost. On the other hand, open source-based LDAP has clear cost advantages but could leave organizations exposed in terms of support.

    Introducing LDAP therefore is not a quick fix for the issues arising from obsolete platforms, bespoke applications, incompatibility and variety. It can however deliver benefits for the long term.

    The good news is that there are many examples of organizations doing this very successfully. It requires vision, determination, a degree of patience and certainly a sound dose of pragmatism. But the work is worth it. The results where integration is achieved successfully can be startling.

    LDAP has already made its mark and will eventually become ubiquitous. It will, however, take more time before non-compliant legacy applications disappear completely. In the meantime, organizations should identify the strategy that offers them the most effective route to directory integration over the shortest possible time, balancing the pros and cons of the various open and proprietary offerings.

    The author is Consultancy Director, INSL
    Now people may read these type of articles and say "Ah-duh" and ROFL, however it could be argued that if more managerial types read these type of articles, it may be easier to push through security measures and to be able to acquire a security budget. Kind of like "impress your manager friends on the golf course with the knowledge you have of security vulnerabilities and LDAP!"

    Buenos Dias.

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Yeah, MS made a stab at this. Their incarnation is called AD. Have you ever tried to sync an AD controller across a firewall? LOL. Give that a try and your security has just gone up in smoke.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •