According to the Ponemon Institute, the impact of data loss and theft is significant, on the order of $6.3 million per breach. Six different types of exploits used in sophisticated attacks are: SQL injection, JavaScript injection, phishing, operating system vulnerabilities, malware, and covert channel communication. A threat is an event that can compromise the security of a system; intentional threats are planned and executed by threat actors. Three threats particularly relevant to privacy are: malware (obtained by employees who unknowingly compromise their company's internal systems), insider threats (malicious or accidental breaches of data privacy), and external attackers/hackers (who compromise web-based applications to access databases). A vulnerability is a weakness in a system or security controls that allows a threat to be carried out. Exposure is the extent to which information can be exposed due to the existence of threats and associated vulnerabilities. Countermeasures are controls that reduce exposure by mitigating vulnerabilities or threats; in other words, they reduce risk. Net or residual risk is the economically acceptable risk that remains after implementing feasible countermeasures. Information security can be defined as the prevention of unauthorized access and/or manipulation. A system is considered secure if it can be protected against intrusions. The main methods for measuring security are:
(1) Risk analysis. This estimates the probability of specific intrusions and their consequences—impacts and costs. A trade-off is established between cost and level of protection. A basic risk analysis methodology consists of the following six phases: (i) Identify the assets. (ii) Determine the vulnerabilities. (iii) Estimate the probability of exploitation. (iv) Calculate the expected annual loss due to intrusions, which relates to the impact. (v) Summarize the applicable protection methods and their costs. (vi) Project the annual savings by making a trade-off between the cost and level of protection achieved and the resulting insecurity.
(2) Evaluation/Certification. This is the classification of the system into classes based on its designed security features and mechanisms. The better the design, the more secure the system. There are three fundamentally different certification methods: (i) Penetration Analysis. A Tiger Team, that is, a team or group of security specialists, attempts to break into the system and find all vulnerabilities. (ii) Informal Validation. The testing and verification of the system includes, for example: (a) Requirements verification. (b) Design and code review. (c) System and software module testing. (iii Formal Verification. The operating system is reduced to a mathematical theorem that is proven and tested.
Evaluation consists of assessing whether a product/system possesses the specified security properties. Certification consists of the formal evaluation of the evaluation result. Accreditation consists of deciding that a certified product/system can be used for a given application. Certification is performed using established standards such as CC (Common Criteria), an evolution of ITSEC and TCSEC (Trusted Computer Security Evaluation Criteria). The objective of certification is: (i) To assess confidence in the system's correctness (How secure is it?). (ii) To assess the quality of the evaluation (How well did we do?). (iii) To document it appropriately.
(3) Operational Metrics Based on the Intrusion Process. A statistical metric of system security based on the effort required to perform an intrusion. The greater the difficulty of performing an intrusion, the more secure the system.
'
Types of Vulnerabilities.
How to Search for Technical Vulnerabilities . Vulnerabilities can be classified according to a wide variety of criteria: (1) Management-related vulnerabilities. These are related to organizational policy, procedures, standards, and education and awareness. Examples include: (i) The lack of a primary organizational security policy. (ii) The failure to incorporate security requirements into the system implementation process. (iii) The lack of documented procedures. (iv) The lack of documented security standards. (v) Poor change control. (vi) The lack of internal controls. (vii) The failure to separate incompatible functions. (viii) The failure to provide security training and awareness. (2) Technical vulnerabilities. These are related to configuration, the management of authorizations and permissions, and the integrity of critical security components. Examples include: (i) Poor authentication. For example, the use of very short or easily cracked passwords or non-mutual authentication between client and server. (ii) Inappropriate or weak access control. (iii) Failure to monitor or log security events. (iv) Broken or faulty security mechanisms. (v) Security features not designed for the intended environment. (vi) Faulty security protocols, such as all protocols in the TCP/IP architecture; for example, flaws in the DNS protocol allow DNS poisoning, which leads to pharming, a more dangerous tactic than phishing. (vii) Poor use of cryptography. (viii) Inappropriate assumptions about reliability.
Some sources where new vulnerabilities and current threats can be found are: (1) CERT and other incident response teams. (2) Bugtraq. It publishes vulnerabilities even when there is no patch from the vendor. In 1999, it became part of SecurityFocus, and Symantec acquired SecurityFocus in 2002: http://www.securityfocus.com/vulnerabilities
. BugTraq allows searching by CVE or by manufacturer, product, and version. It provides a description and analysis of the vulnerability, the exploit code if available and relevant, countermeasures such as patches, etc. (3) Milw0rm.
This is a large list of exploits: http://www.milw0rm.com/. (4) Vendors who inform their customers of vulnerabilities, for example Microsoft (http://www.microsoft.com/technet/security/current.aspx), Cisco (http://www.cisco.com/en/US/products/products_security_advisories_listing.html), Oracle, etc. (5) Security vendors and other organizations with paid subscription services.
Vulnerability Listings
Some vulnerabilities have existed for years: (1) Configuration errors: (i) Failure to remove demo/test programs from products. (ii) Setting non-existent (unencrypted Wi-Fi) or weak (crackable WEP Wi-Fi) encryption, for example, with inadequate key management. (iii) Inadequate file system permissions. (2) Default passwords not changed. (3) Services with inherent security exposures, for example, in the finger application protocol. Other vulnerabilities represent new flaws, defects, and weaknesses discovered in hardware and software products: (1) MITRE Corporation maintains CVE (Common Vulnerabilities and Exposures), a list of vulnerability names. It is a dictionary, not a database. It serves as a common reference point for assessing what is found and for cross-referencing with other lists. Each vulnerability is denoted, for example, CVE-2009-0224, where 2009 is the year of discovery and 0224 is the identifier that specifies the vulnerability. It is available for free download at: http://cve.mitre.org/cve/
. (2) US-CERT (US Computer Emergency Response Team) publishes alerts and vulnerabilities (http://www.kb.cert.org/vuls/ for vulnerabilities and http://www.us-cert.gov/cas/alerts/ for alerts). Originally, the CERT (Center for Technological Research) was established at Carnegie Mellon University in 1988 in response to the Morris worm. It publishes known vulnerabilities only after they are released by the vendors. Currently, US-CERT is part of the Department of Homeland Security. US-CERT vulnerabilities are based on CVEs (Common Vulnerabilities Evaluation and Scoring System) and are organized according to their severity as determined by the CVSS standard. Severity is categorized as high, medium, and low, corresponding to the following criteria: high (vulnerabilities with a score of 7 to 10), medium (vulnerabilities with a score of 4 to 6.9), and low (vulnerabilities with a score of 0 to 3.9). For example, CVE-2009-3068, published on September 4, 2009, has a CVSS score of 10, which is considered high.
Final Considerations
Our research group has been working for over two decades in the area of assessment, identification, analysis, monitoring, discovery, generation, and evolution of vulnerabilities and their related security aspects, such as risks and tailored adaptive countermeasures.
This article is part of the activities carried out within the LEFIS-APTICE (funded by Socrates, European Commission).
Bibliography
- Areitio, J. “Information Security: Networks, Computing and Information Systems”. Cengage Learning-Paraninfo. 2009.
- Areitio, J. “Analysis of Spam”. Conectrónica Magazine. No. 104. February 2007.
- Areitio, J. “Analysis of Technologies for Information Concealment”. Conectrónica Magazine. No. 109. July-August 2007.
- Areitio, J. “Analysis of Forensic Security, Anti-Forensic Techniques, Incident Response and Digital Evidence Management”. Conectrónica Magazine. No. 125. March 2009.
- Schryen, G. “Anti-Spam Measures: Analysis and Design”. Springer. 2007.
- Lee, W., Wang, C. and Dagon, D. “Botnet Detection: Countering the Largest Security Threat”. Springer. 2007.
- Howard, R. “Cyber Fraud”. Auerbach Publishers, Inc. 2009.
- Flegel, U. “Privacy Respecting Intrusion Detection.” Springer. 2007.
- Aycock, J. “Computer Viruses and Malware”. Springer. 2006
Author:
Prof. Dr. Javier Areitio Bertolín – E.Mail:
Professor at the Faculty of Engineering. ESIDE.
Director of the Networks and Systems Research Group. University of Deusto.
