US CAPITOL HILL HEARING ON GOVERNMENT REFORM TECHNOLGY CYBERSECURITY
CYPERSECURITY

MARC MAIFFRET, CHIEF HACKING OFFICER

EEYE DIGITAL SECURITY

Statement of Marc Maiffret Chief Hacking Officer eEye Digital Security Vulnerability Management Strategies and Technology

Committee on House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations, and Census

June 2, 2004

For some time, security has been a race to create new protection mechanisms for a never-ending onslaught of vulnerabilities. Vulnerabilities are at the core of what makes systems insecure. However, the vulnerabilities that organizations face are not simply system/software vulnerabilities, but also social vulnerabilities in how people interact with technology. Until not long ago most organizations were winning the security race, because the bad guys were letting them. Things have changed though, attackers have become smarter, and the race is over. The good guys have lost (for now) and there has never been a better time to be a criminal.

One of the main reasons for the good guys losing this battle is due to the fact security has always been reactionary. With the current trends in vulnerabilities, there is no time to react. It is important to emphasize the reactionary state of security to help better understand a lot of the dynamics of why we are failing.

Patches Aren't Always The Answer

If you casually look at the available studies and statistics you could easily point the blame at organizations for not patching their systems. Then again, you could read newer studies which would say patching is not enough, that you cannot patch in a reasonable amount of time before new threats emerge (worms, viruses, exploits, etc.). Others would say that it is not a problem of not patching, or not patching fast enough, but that there is an increase in "zeroday" vulnerabilities or threats that take advantage of non-public vulnerabilities, which do not yet have patches. Now keeping all of these dynamics in mind you have to realize that the threat of vulnerabilities, which can be fixed through patches, is only one of a few different types of vulnerabilities that organizations face. Organizations are also vulnerable to various software/system configuration vulnerabilities, and also social vulnerabilities.

Misconfigurations and social vulnerabilities are, at most, the most publicized types of attacks, and also the least. Virus attacks are one form of social vulnerability that is typically made very public. Viruses are able to propagate from system to system based on a person interacting with software in a way that is then harmful to the system the software is running on. The problem then escalates from one person's system being infected, to entire companies and groups of computer users. There are other types of vulnerabilities in software and systems that can be leveraged by attackers to take advantage of misconfiguration weaknesses in order to gain access to resources that attackers shouldn't otherwise have access to. A solid Vulnerability Management plan will also cover the aspects of policy and compliance, user education, and various other security facets beyond simple patch remediation.

Security According to Specific Needs

At the heart of every organization's security strategy should be vulnerability management. Most organizations would love to have the single silver bullet for vulnerability management, and while security companies will all claim that they offer it, there is no one solution. Instead, one of the most important aspects of creating a good vulnerability management plan is to first understand what is critical within your organization. From the private sector, to the public, from financial services to health care, there are many differences in what is critical within an organization, and therefore different security requirements.

One of the first things to accept, in securing a large enterprise, is that the odds of you being impervious to attack are about as good as a drunken road-trip to Vegas and betting your next house payment on black. There are no two ways around it; the odds are against you that there will always be a way for a hacker to penetrate your network. That is why it is important to understand what is critical within your organization, and focus on those critical points first, before trying to tackle the security of your organization in its entirety. Obviously there are various levels of security a company can obtain, and with that there are various layers of security that are required to advance to the next level. To understand what layers of security are required for your organization to reach various levels of security, you must first understand the types of threats your organization could possibly face.

Imagine for a moment that there are potentially thousands upon thousands of people who live for "the thrill of the hack". From the young boy working all hours of the night to find that next vulnerable system, to the next virus writer hoping to see their work made public around the world. There are many different types of computer criminals and for the most part none of them seem to care which computers they target. Now take that image of computer "criminals" and never think of it again. Times have changed, and while some things have remained the same, the motivation and people behind computer intrusions has drastically changed.

As with any "free" and open system (computers, networks, internet, etc.), that relies heavily on trust, the fun has to eventually come to an end. The bad guys have grown all too knowledgeable to the fact that technology is creating new opportunities to profit and proliferate from the same common criminal ideas that have existed for many years. This is all very evident by the investigations performed by the Federal Bureau of Investigation into various online fraud activities, many of which lead back to various countries where organized crime is able to operate more freely because of lax computer security laws, and poor relations with the U.S. There are other attacks, beyond simple online fraud, that are more sophisticated. Attacks that target specific companies and leverage things unique about an organization in order for an attacker to acquire whatever it is they are after. Regardless if you want to believe the "boogeyman" stories of organized crime or foreign nations breaking into your computer networks, the one attacker that almost all organizations have met face-to-face with is the computer worm.

A computer worm is a program that leverages a "vulnerability" (typically in software) to replicate itself from one computer to another, without requiring any human interaction. Depending on the computer worm there is sometimes a "payload" that is included with it. Payloads can be anything from malicious code that uses thousands of worms to create a coordinated attack against a target system, or a payload could simply attempt to disrupt, or destroy data on infected systems. While the idea of computer worms sounds scary, the idea is nothing new.

CONTINUED at weblink............