The Top Twenty Internet Security Vulnerabilities. and How To Get Rid Of Them
Size: px
Start display at page:

Download "The Top Twenty Internet Security Vulnerabilities. and How To Get Rid Of Them"

Transcription

1 The Top Twenty Internet Security Vulnerabilities and How To Get Rid Of Them

2 Agenda Technical Briefing on The Top 20 What damage and costs are enabled by these vulnerabilities? Best practice in eliminating them: The NASA and DoT stories How are the Top 20 determined? Understanding and blocking the vulnerabilities. Questions Technical Briefing on Lessons Learned IN FISMA

3 The Slapper Worm Sept Tens of thousands of victims Attacked SSL vulnerabilities in Linux Apache Web servers Collected victims in a network ready for use in DDoS attacks

4 The Slammer Worm January ,000 victims in 10 minutes Attacked a vulnerability in SQL Server that was also embedded in other software Disabled ATM machines, disabled 911 systems, disabled airline scheduling systems

5 Big problem is hidden vulnerability Although Beth Israel (hospital in Boston) had patched its SQL Server machines using Service Pack 3 in July, however, IT staff didn't anticipate the worm spreading through the vulnerable Microsoft Data Engine 2000 (MSDE) component, which was also affected by the SQL vulnerability and was installed on personal computers running Microsoft Office XP in the hospital's research area and in private offices, Those nonserver machines caused the slowdowns on the hospital s network. IDG News Service, January

6 Slapper victims act 339 Slapper victim systems attack a US intelligence agency web site More than 1,000,000 packets per second Intelligence agency site knocked out from 9 AM Friday to 11 AM Saturday 339 is about 1% of Slapper s 30,000 victims.

7 Code Red and Nimda 150,000 to 300,000 victims Exploited a Microsoft IIS vulnerability Clean-up costs were $300-$600 per system. Adds up to $80 million in direct labor Left back doors

8 Code Red made 150,000 systems vulnerable to instant attack by anyone on the web

9 Worms Enable DDoS attacks Cost a fortune to clean Steal passwords and leave back doors All made possible by common vulnerabilities

10 Economic Crime Changing web pages Stealing credit card numbers and other private data

11 Appalled by the ruthless attempt to manipulate Denies fallacious press release on their own website

12 More than 100 organizations report extortion 40 victims in 20 states Organized crime groups in Russia and Ukraine

13 Hacker Recreation Web Defacement Storage Cut-outs

14 How many.gov &.mil sites were hacked in 100 days? Administrative Office of the U.S. Courts ( Army NE Region Civilian Personnel Operation Center (cpocner.apg.army) Army Signal Command ( Washington, DC ( Defense Automated Printing Service (dodssp.daps.mil) DISA Information Systems Center (maestro.den.disa.mil) DOI US Bureau of Reclamation ( DOI US DOI, Bureau of Land Management (adoptahorse.blm.gov) DoT National Transportation Safety Board ( DoT United States Department of Transportation (stratplan.dot.gov) Energy Sandia National Laboratories (samt4831.sandia.gov) Federal Maritime Commission ( Government Printing Office ( Multistate Tax Commission ( NASA #2 Technical Info, Jet Propulsion Labs (NASA) (techinfo.jpl.nasa.gov) NASA Aviation Systems Division ( NASA LARC NASA (se-pc7.larc.nasa.gov) NASA National Aeronautics and Space Administration (toyota.gsfc.nasa.gov) NASA Technology Server, NASA (technology.nasa.gov) National Highway Traffic Safety Administration ( National Institutes of Health (intra.ninds.nih.gov) National Library of Medicine SIS5 Server, NIH (sis5.nlm.nih.gov) MORE.

15 More.gov and.mil sites hacked NOAA Central Administrative Support Center, NOAA ( NOAA National Oceanic and Atmospheric Admin (storms-dev.nos.noaa.gov) NOAA National Oceanic and Atmospheric Administration (vortex.cmdl.noaa.gov) NSF National Science Foundation (roga.nsf.gov) U.S. Fish and Wildlife Service ( Uniformed Services University of the Health Science (bb.lrc.usuhs.mil) Uniformed Services University of the Health Science (rcslinux.lrc.usuhs.mil) US Navy Naval Computer and Telecommunications Station (med01.nctsw.navy.mil) US Navy Jaxm Navy ( US Navy Naval Ocean Systems Center (iph-nt5.nosc.mil) US Navy Naval Pacific Meteorology and Oceanography Center, Yokosuka, Japan ( US Navy NLMOC Navy (jf.nlmoc.navy.mil) US Navy ( US Office of Surface Mining (feecomp.osmre.gov) USGS United States Geological Survey (mrdata.usgs.gov) Total reported and mirrored at attrition.org Aug 1 Nov. 10, 2000: 37 By Spring, 2001 on average one new site was defaced every day: 100 How could that many be defaced in such a short time?

16 A hacker is watching this young man through the young man s web cam.

17 The young man is reading words the hacker caused to appear on the young man s computer screen.

18 Major costs Worms for DDoS Economic crimes primarily extortion Web defacement and loss of privacy

19 The Bottom Line A small number of vulnerabilities account for a large share of successful attacks.

20 Best Practice In Eliminating The Top Vulnerabilities The NASA Case Story

21 NASA Is A Prime Target Of Attackers Large open network 80,000 systems of researchers High visibility web site photographs from the space program Symbol of US power Technology of interest to governments and companies around the world

22 NASA s program - part 1 Summer 1999 identified high priority vulnerabilities that could be tested remotely Acquired a scanning tool Tested all 80,000 systems quarterly Computed ratio of vulnerabilities to machines Started at 1.3. Within 12 months the ratio was 0.16 Set an even lower goal of 0.01 Within 12 more months the ratio was (fewer than 7 vulnerabilities per thousand systems)

23 NASA s program part 2 9 months into the project, a second set of vulnerabilities was introduced with a target ratio of.25 vulnerabilities/system scanned Within six months the ratio was.097. Implemented a third and fourth series in FY02 Resources are educated and prepared so new vulnerabilities can be eliminated almost immediately.

24 Proof that NASA s program works Ratio of Successful Attacks to Hostile Probes 10% 9% 8% 7% 6% 5% 4% Agency US-DoD 3% 2% 1% 0% Q Q Q Q Q Q Q4

25 Lessons learned Give sysadmins time to fix problems before requiring the first report to headquarters allows sysadmins to succeed (and become security heroes) Using a series of sets of a limited number of vulnerabilities allowed expertise to be developed and tools to be shared for correcting the problems. Plotting ratios of all NASA centers on the same chart led to healthy competition. Senior executives pay attention to the charts and the resultant visibility empowers the sysadmins to act.

26 Does full-scale vulnerability testing work just as well? A company experiences a penetration and senior management demands vulnerability testing. Vulnerability testing tools compete for customers based on the number of tests they run. Users do not know which tests to leave out, so they run all the tests. The complete scan report has 5-30 vulnerabilities per system. A 10,000 system scan can result in more than 50,000 things to fix. Senior security or executive management sends the huge report to the sysadmins with a note saying they must be fixed in six weeks.

27 What happens next Sysadmins see certain defeat consider quitting. They recognize senior management support allows them to fix the most critical vulnerabilities, so they start. They are pulled off the project for some more critical (marketing) short term project. Another penetration happens and the cycle begins again.

28 How does NASA s approach help? Sysadmins can succeed because the job is one that can be finished quickly. Visible monitoring maintains attention and pressure to complete the task. Satisfaction rises

29 Key lessons from NASA Check every machine Start with a small set of vulnerabilities those that are exploited most often Allow the system administrators to compete and win the race to remove the vulnerabilities When set 1 is fixed, start on set 2; continue testing 1. Use the capability and skills to remove critical new vulnerabilities rapidly Costs are surprisingly low: $30-40 per machine, and most of that is sysadmin labor.

30 The Top 20 Internet Security Vulnerabilities

31 Started in July 2000 Goal: Allow other organizations to get benefits NASA was experiencing First year: 10 items, no testing tools Second year: 20 items, some not testable, one testing tool. Third year: 20 items, all testable, seven tools including all the leaders This year: Updated lists.

32 How are they chosen? The team: Thirty people and organizations that have front line experience in red teaming and forensics and compromise-related activities (examples: NSA, NASA, SANS, CERT/CC). Each is invited to list the top twenty based on what they have seen as vehicles for successful attacks. The project leader (Jeff Campione of the Federal Reserve) compiles the first ranking The team reaches consensus

33 Action Plan Get management support for a project to reduce vulnerabilities Set up a sysadmin/security group too oversee the project and share techniques for correcting problems. Offer a Top 20 testing capability to all divisions for 90 days before asking for results. Run quarterly tests. Set an organizational goal. Get management to reward organizational units that do the best job.

34 What Are The Top 20? Erik Kamerling, Top 20 Project Director

Similar documents
2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information