Vulnerabilities and Threats: The Past, Present and Future

1
Vulnerabilities and Threats The Past, Present
and Future

• Mike Murray - Director of Vulnerability Research
• March 29, 2006

2
Intro

• The Past Pen-Testing and Vulnerability
  Assessment
• The Present Vulnerability Management
• The Future
• Disclaimers
• Information Technology Focused
• Vendor Neutral
• Objectives
• Present information to help you understand your
  information security strategy today and tomorrow

3
The Birth of Vulnerability Assessment
4
The Birth of Vulnerability Assessment
5
Security Configuration Weaknesses

• The Earliest Discovery
• Exploits mostly human weakness in setting up
  operating systems
• Simple class of attacks
• Exploiting access control failures
• Improper Directory permissions
• Unrestricted access to servers
• Failures in trust relationships
• Grabbing password files
• Incorrect program behavior
• Debug Interfaces
• Attackers were unsophisticated

6
The Buffer Overflow

• Phrack 49 - November 8, 1996.
• Aleph1 - Smashing the Stack for Fun and Profit
• The first real sophisticated vulnerabilities
  start to emerge
• A buffer overflow required knowledge of assembly
  and coding skill
• Hackers now had to be more technical
• Readily available exploit code actually makes
  breaking in to computers easier
• The golden age of server hacking begins.

7
Past Vulnerability Assessment
8
The Birth of Vulnerability Management (agent-less)
Lightning Console/Nessus
2004
9
The Birth of Vulnerability Management (agent-less)
Lightning Console/Nessus
2004
Buffer Overflows Increase Sophistication
New Attack Vectors emerge
10
Memory Attack Sophistication

• Buffer overflows become more sophisticated
• Polymorphic shell-code
• More advanced use of memory spaces
• Design to evade detective controls
• Other memory-based attacks
• Format String attacks
• Integer Overflow attacks

11
New Attack Vectors Emerge

• Web-based applications become a target
• As web-apps become common, researchers target web
  apps
• SQL Injection, XSS, access control breaches
• Data driven attacks
• Begin to see browser attacks
• Internet Explorer proves vulnerable

12
From the Past to the Present
13
From the Past to the Present
14
From the Past to the Present
15
From the Past to the Present
16
From the Past to the Present
17
From the Past to the Present
18
From the Past to the Present
19
From the Past to the Present
20
From the Past to the Present
21
From the Past to the Present
22
From the Past to the Present
23
From the Past to the Present
24
The Present
nTellect Product
SIH Product
2005
2007
2006
Client Side Attacks Are Key
Human attacks increase
25
Client-side attacks

• Microsoft hardens their operating systems
• As massive server-based vulnerabilities
  disappear, client interaction becomes key
• We see the majority of issues affect the client
• Major exploits require user-interaction
• Email
• Web-page viewing
• Opening of attachments

26
Human Weakness

• Attacks rely on social engineering
• Phishing
• Spyware/Adware/bot installations
• Exploiting by providing value
• We have come full-circle
• Humans are, in general, weaker than computers.

27
Present Vulnerability Management

• Gartners "grand unified theory of security," has
  defined Vulnerability Management as one of four
  high-level security processes that are key to the
  effectiveness and efficiency of enterprise
  security.

28
Creating a Balanced Security Ecosystem
29
Measure, Manage, Reduce Risk

• Obstacles
• Enumeration of Vulnerabilities is an insufficient
  set
• The consumer of this information is no longer the
  security geeks
• Risk related information is fragmented and out of
  sync
• Requirements for the future
• Risk related Intelligence that allows for proper
  preemptive, preventive, and protective actions to
  be taken.
• Risk related Intelligence integrated with both
  other technologies and the processes of the
  enterprise
• Risk related Intelligence that drives the
  decision-making ability of the business
• Less is more

30
Managing Risk Across the Enterprise
Ira Winkler Dan Ryan
31
Definitions

• Vulnerability \VulnerabilIty\, n.
• The quality or state of being vulnerable
• Threat \thret\, n.
• Intelligence of something that is a source of
  danger
• Countermeasures \Countermeasure\, n.
• an action taken to offset another action
• Valuation \Valuation\, n.
• the act of estimating value or worth the value
  set upon a thing

32
From the Present to the Future
33
From the Present to the Future
34
From the Present to the Future
35
From the Present to the Future
36
From the Present to the Future
37
From the Present to the Future
38
From the Present to the Future
39
From the Present to the Future
40
From the Present to the Future
41
From the Present to the Future
42
From the Present to the Future
43
From the Present to the Future
44
Requirements for Future Security Intelligence

• Considerations
• Breadth of data to be considered
• Depth of knowledge to be understood
• Speed required for decision making
• Functional Objectives
• Remote Discovery of IP, Ports, Services,
  Applications, Vulnerabilities, Operating Systems
• Discovery of Network Transit Paths and
  Countermeasures (vertices for all nodes)
• Target System Valuations
• Integrated Counterintelligence of the Threat
• Continuous, Scheduled, Triggered, and Adhoc
  discovery
• Use of Baseline and Benchmarks (SP-800-70)
• Open Bi-directional Integration of Functionality
  and Intelligence
• Complete and Total Integration with the Business
  Intelligence Systems

45
Requirements for Future Security Intelligence

• Measure, Manage, and Reduce Operational Risk
  through Security Intelligence

46
Foreshadowing

• The biggest upcoming threat is mobile devices
• Pod Slurping
• Mobile Manager devices
• Massive storage, low profile devices
• Generally developed without security controls in
  place
• Designed for the mass market
• We are not prepared.

47
Thank you

• mmurray_at_ncircle.com
• http//blog.ncircle.com