Back to
7 posts

Hot or Not: SCAP is Heating Up

SC-Mag-Hot-or-Not.gifIn the dark ages of vulnerability assessment and system security, rating the risks associated with software vulnerabilities and evaluating secure system configurations were largely subjective endeavors. Essentially, every enterprise was forced to rely on the vague risk rankings of software makers as to how severely a software flaw truly would jeopardize the security of the IT infrastructure. Additionally, when it came to hardening servers, endpoints and application implementations, many organizations created their own security checklists to harden desktops and servers — pulling the information, the best they could, from various sources such as industry practices and vendor guides.

To bring some objectivity and standardization to the process, the National Institute of Standards and Technology (NIST) recently released its first draft of the Security Content Automation Protocol (SCAP). SCAP, as NIST explains, is a standards-based method to enable automated vulnerability management, measurement and policy compliance evaluation. SCAP is based on a number of existing, well-used, open standards that itemize software flaws, security configurations, and various product names. When brought together, these standards make it possible to rank security flaws, as well as security configurations, so that the impact of security vulnerabilities and misconfigured systems can be measured. To do so, SCAP leverages the following standards:

  – Common Vulnerabilities and Exposures (CVE)
  – Common Configuration Enumeration (CCE)
  – Common Platform Enumeration (CPE)
  – Common Vulnerability Scoring System (CVSS)

As more security vendors embrace SCAP, expect the adoption of SCAP to broaden throughout the commercial sector as the interoperability benefits grow — and subjective security makes way for a more measured risk posture.

Read Full Article

Hot or Not: Web Application Vulnerabilities Hit Inflection Point

SC-Mag-Hot-or-Not.gifWhen it comes to software vulnerabilities, 2008 will go down as a seminal year. It turned out to be a year when the types of applications targeted by attackers shifted, and we witnessed a significant rise in both the number of vulnerabilities discovered and the number of vulnerabilities found in web applications.

Consider this: Though there was an overall 15 percent rise in vulnerabilities discovered last year, 60 percent of those uncovered were web application flaws. The biggest jump in that class of vulnerabilities was seen in SQL-injection flaws, which doubled year over year. And while desktop and client-side software still is targeted heavily, Microsoft Office’s Excel spreadsheet application had the most number of critical vulnerabilities within that productivity suite. In addition, 11 percent of web vulnerabilities were cross-site scripting flaws, while all other web related vulnerabilities accounted for 26 percent of the total.

One of the most important trends last year was a surge in critical server vulnerabilities that don’t require user intervention to exploit, such as CVE 2008-1447, which described a weakness in the DNS protocol that made it possible to conduct DNS cache poisoning attacks. In this type of attack, name servers can be made to send users to an incorrect, even malicious, host web site, e-mail server, and redirect other types of traffic to systems under the attacker’s control.

Read Full Article

Hot or Not: SCADA Security is Hot

SC-Mag-Hot-or-Not.gifThe notion of supervisory-control and data-acquisition system security, SCADA, seemed not long ago to be a topic of interest only to those who ran complex industrial control systems, water treatment plants, and power generation – and in some ways it still is. But for anyone who attended the SANS 2009 SCADA and Process Control Summit recently, it became clear that the convergence of IT security and physical security is accelerating.

This is happening as more IT systems are managing physical systems – and it’s no longer only utilities and the critical infrastructure that rely on SCADA systems for management. These days we see more traditional industries, such as manufacturing, turning to SCADA systems, while health care and many other industries are, or soon will be, using telematics to manage all types of far-flung devices. In coming years, the security of physical control systems will be part of many IT security managers' bag of responsibilities. 

One thing certainly is clear to me after researching the subject: Many SCADA systems are inherently vulnerable. First, these systems never were designed with network security in mind, and these systems increasingly are being connected to the internet. That’s not an especially encouraging situation. 

In fact, increasingly, SCADA devices are falling vulnerable to the same kind of software vulnerabilities that have been plaguing IT systems and applications for years. Just last month, Paris-based Areva warned its customers that an important part of its energy management software was vulnerable after software flaws were found in several versions (5.5, 5.6, 5.7) of its e-terrahabitat package. As the U.S. Computer Emergency Readiness Team (US-CERT) warned, a number of buffer overflow and denial-of-service vulnerabilities made versions 5.5, 5.6, and 5.7 of e-terrahabitat susceptible to tampering. Customers using earlier versions needed to upgrade as well.

Theoretically, SCADA systems should not be exposed to the internet, but I fear they increasingly are being connected to IP networks. In most industries, SCADA systems should be completely air-gapped from data networks, thus significantly mitigating the risk of attack. However, more installations are using SCADA to manage their systems remotely, or even connect the systems to an internet-enabled corporate network to collect and analyze data. As this trend continues, SCADA systems increasingly must be treated as any other networked device: They must be identified, inventoried, and analyzed for vulnerabilities.

Read Full Article

Hot or Not: Network Embedded Device Security Threats

SC-Mag-Hot-or-Not.gifWhile security managers find it challenging enough to maintain secure patch levels across their organisations' desktops, servers and networking gear, there’s a new class of network equipment that you’ll need to add to the list: high-end networked scanners, copiers, printers and multi-function devices.These may not be the devices most targeted for attack right now, but they’re likely to move up that list very soon.

First, the manufacturers are increasingly moving away from proprietary operating systems and software that run these devices in favour of readily-available operating systems. Second, there has been heightened visibility regarding the vulnerabilities associated with these devices, including a presentation at this year’s Black Hat security conference. Recently, while at a customer site, we identified vulnerabilities on a networked printer that left the organisation open to attack.

Until recently, these types of devices were based on specialised software running on RISC-based processors, and few attackers had the knowledge or skills necessary to identify and exploit the vulnerabilities that would make a successful attack possible. Today, more of these devices are built on traditional Intel processors running common operating systems such as Linux, and even Apache Web server software. That’s why high-end multi-function devices and printers are beginning to look amazingly similar to any other IT appliance attached to the network.

The result is that they’re now vulnerable to the same types of attacks as standard desktops and servers, and can be used as a potential jump-point to other devices and systems, to even monitor data traveling across the network, or be used to launch DoS attacks. And the data actually residing on these devices can be critical, even regulated. More and more of these devices are coming equipped with hard disks, and everything copied can be cached.

Read More

Hot or Not: Software Update Vulnerabilities

SC-Mag-Hot-or-Not.gifThere’s been considerable discussion recently about how automatic software updates, such as those to download security patches, can be used as potential vectors of attack. This is unfortunate, as one of the primary tenets of keeping systems relatively secure is to maintain current patch levels. And when most users, including probably most businesses, need to update their systems, they tend to trust and download the updates presented to them without confirming their authenticity.

In SC Magazine’s Hot or Not: Software update vulnerabilities, Amol Sarwate of the Qualys Vulnerabilities Research Lab discusses how automatic update features in many software applications are proving to be vulnerable to attack now that hackers are taking notice. 

Read Article

Hot or Not: What You Need to Know to Keep Mac OS X Secure

SC-Mag-Hot-or-Not.gifWhen it comes to security, Apple isn’t sitting still. Amol Sarwate, guest columnist for SC Magazine’s Hot or Not column looks at some of the new features inherent in OS X 10.5 that help keep the system secure. According to Apple, these security enhancements were added to 10.5, released last fall:

  • Tagging and first-run warning: Mac OS X 10.5 marks files that are downloaded to help prevent users from inadvertently running malicious downloaded applications. 
  • Runtime protection: New technologies such as execute disable, library randomization, and sandboxing help prevent attacks that try to hijack or modify system software. 
  • Improved firewall: After the new application firewall is activated, the firewall configures itself so that users get the benefits of firewall protection without having to understand the details of network ports and protocols.
  • Mandatory access control: These enforce restrictions on access to system resources. Not even a compromised "root" user can change some settings.
  • Application signing: This enables users to verify the integrity and identity of applications on the Mac. 
  • Improved secure connectivity: Virtual private network (VPN) support has been enhanced to connect to more of the most popular VPN servers-without additional software.

Read More

Hot or Not: Web Application Firewalls for Security and Regulatory Compliance

SC-Mag-Hot-or-Not.gifQualys Vulnerabilities Research Lab manager, Amol Sarwate, recently discussed Web application firewalls (WAF) for security and regulatory compliance in SC Magazine’s Hot or Not feature.  In the feature, Amol provides considerations to ensure the proper WAF is chosen to fit an organizations specific needs. Readers are also pointed to the Open Web Application Security Project (OWASP) which provides an abundance of Web application security educational information including the top 10 most prevalent web application attacks.

Read More