Improving Security through Software

1
Improving Securitythrough Software
Dr Warren Toomey School of Computer
Science Australian Defence Force Academy
2
Introduction

• Software insecurity causes most system
  vulnerabilities
• 1998 Internet survey
• 85 of the 36 million systems examined
• 1 (450,000) systems had software holes
• New software holes found on a daily basis
• 35 Microsoft bulletins in last 12 months
• 22 from SGI, 14 from Sun, 10 from Cisco

3
Assumptions

• All software has bugs
• theres always one more bug
• Some bugs are security holes
• Software configuration causes holes
• Software use causes security holes
• Many attacks come from inside
• Moral Audit fix your software base

4
Audit Software

• In-House Use Y2K audit to help find holes
• Use existing programmers knowledge
• Put your programmers on security courses
• Otherwise, get consultants to do audit
• Off the Shelf Software not easy to audit
• Don't trust vendors' own opinion of security
• Find use independent reports/surveys

5
Read Security Bulletins

• Many vendors put out security bulletins
• Microsoft, Sun, Cisco, Netscape, SGI, HP ...
• These announce newly found holes, their
  significance how to fix them
• Also read bulletins/advisories from CERT,
  AUSCERT, FIRST
• Verify bulletins authenticity PGP etc.
• Fix security holes quickly day-zero attacks

6
Read Security Maillists

• Examples Bugtraq, NT Bugtraq mail lists
• URLs securityfocus.com, ntbugtraq.com
• Public arena for
• Discussion of new vulnerabilities
• Dissemination of detection/exploit code
• Both white-hats hackers read these lists
• Hackers use this information for day-zero attacks

7
Read Security Maillists

• Not as trustworthy as vendor, CERT bulletins
• However, new holes are described here weeks
  before vendor bulletins
• Some individuals are trustworthy
• Some are unofficial representatives of software
  vendors

8
Reconfigure Software

• Configuration creates many security holes
• Consult software install/configure manuals for
  security recommendations
• Consult vendors, 3rd parties for security
  recommendations
• Use vulnerability detection software to audit
  configuration, monitor changes
• Keep good backups you will need them when you
  are broken into

9
Open Source Software

• Consider using Open Source software for
  new/replacement software
• Distributed in source form
• Thousands of people read the source
• Hackers find weaknesses quickly
• Good guys can fix the problem quickly
• Fast understanding of new security attacks
• You can buy support for these products

10
Open Source Software

• In general, Open Source more trustworthy than
  proprietary software
• The code you see is the code you get
• Ditto for published encryption techniques DES,
  RSA, AES etc.
• Open Source very useful for server deployment,
  not quite ready for desktop
• Apache, Perl, PGP, Gnu C, Bind, Sendmail, Linux,
  FreeBSD

11
Software for Security

• Encryption at application level PGP, ssh, SSL,
  S/Key
• Encryption at network level SKIP, VPN
• Intrusion Detection software various
• Anti-virus software various, for both desktop
  server
• Configuration vulnerabilities various
• Configuration change detection various

12
Change Use of Software

• Software use also causes many holes
• Opening of virus-infected programs, documents
• Make users aware of software security
• Encourage users to report issues, react
  positively. Encourage technical staff to report
  deficiencies, suggest improvements
• Send the message security is important to us all

13
Conclusion

• Software will always be vulnerable to attack
• Intense effort by hackers to find new holes
  exploit them
• Audit, find fix holes in your existing software
  base
• Audit, find fix holes in your software
  configuration
• Follow bulletins, mail lists to keep abreast of
  new holes

14
Conclusion

• Think security when replacing software, procuring
  new software
• Deploy software to enhance your security
• Encourage all to use software with security in
  mind