Insecurity in Security Software



Similar documents
INSECURITY IN SECURITY SOFTWARE

Real World and Vulnerability Protection, Performance and Remediation Report

D. Best Practices D.1. Assurance The 5 th A

Release: 1. ICASAS206A Detect and protect from spam and destructive software

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

GFI White Paper PCI-DSS compliance and GFI Software products

PCI DSS Requirements - Security Controls and Processes

Desktop Security. Overview and Technology Guidance. Michael Ramsey Network Specialist, NC DPI

Proactive Rootkit Protection Comparison Test

Fully supported Antivirus software (Managed Antivirus)

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Windows 8 Malware Protection Test Report

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Symantec Endpoint Protection Analyzer Report

74% 96 Action Items. Compliance

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Did you know your security solution can help with PCI compliance too?

Industrial Security for Process Automation

Virtual Desktops Security Test Report

BBM 461: SECURE PROGRAMMING INTRODUCTION. Ahmet Burak Can

How To Manage A System Vulnerability Management Program

Optimizing Windows Security Features to Block Malware and Hack Tools on USB Storage Devices

The Security Development Lifecycle

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Microsoft Software Update Services and Managed Symantec Anti-virus. Michael Satut TSS/Crown IT Support

Nessus and Antivirus. January 31, 2014 (Revision 4)

Passing PCI Compliance How to Address the Application Security Mandates

Security Maintenance Practices. IT 4823 Information Security Administration. Patches, Fixes, and Revisions. Hardening Operating Systems

How To Manage A Patch Management Program

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.

Security Testing. How security testing is different Types of security attacks Threat modelling

PCI Requirements Coverage Summary Table

Zscaler Cloud Web Gateway Test

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Application Intrusion Detection

AN OVERVIEW OF VULNERABILITY SCANNERS

Software Development: The Next Security Frontier

What Do You Mean My Cloud Data Isn t Secure?

Manually Add Programs to Your Firewall or Anti-Virus Programs Trusted List. ZoneAlarm

Contact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details:

PROACTIVE PROTECTION MADE EASY

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Symantec Endpoint Protection

Integrating Tools Into the SDLC

GFI Product Manual. Administration and Configuration Manual

SonicWALL PCI 1.1 Implementation Guide

Web Application Security

26 Protection Programs Undergo Our First Test Using Windows 8

Chapter 4 Application, Data and Host Security

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee

Security aspects of e-tailing. Chapter 7

ESAP Release Notes. Version Published

Agile and Secure: Can We Be Both?

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

System Security Policy Management: Advanced Audit Tasks

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

12 Security Camera System Best Practices - Cyber Safe

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Prinect. Is Your Prinect Workflow Safe from a Cyber Attack?

PCI Data Security Standards (DSS)

OutbreakShield Effective and Immediate Protection against Virus Outbreaks

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

The Leader in Cloud Security SECURITY ADVISORY

The Challenge of a Comprehensive Network Protection. Introduction

ESAP Release Notes

Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities?

Getting started. Symantec AntiVirus Corporate Edition 8.1 for Workstations and Network Servers

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Protecting productivity with Plant Security Services

APPLICATION SECURITY: ONE SIZE DOESN T FIT ALL

The Multiple Scan Engine Advantage and Best Practices for Optimal Security and Performance

PI Server Security Best Practice Guide Bryan Owen Cyber Security Manager OSIsoft

Network Configuration Management

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Xerox Mobile Print Cloud

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

Endpoint Business Products Testing Report. Performed by AV-Test GmbH

Secondary DMZ: DMZ (2)

A43. Modern Hacking Techniques and IP Security. By Shawn Mullen. Las Vegas, NV IBM TRAINING. IBM Corporation 2006

Transcription:

Insecurity in Security Software Maik Morgenstern Andreas Marx AV-Test GmbH http://www.av-test.org Virus Bulletin 2005 Conference presentation about Insecurity in Security Software Copyright 2005 AV-Test GmbH, Klewitzstr. 6, D-39112 Magdeburg, Germany Phone: +49 391 6075460, Fax: +49 391 6075469, http://www.av-test.org

Table of content The paradox Types of security software Comparison of CVE advisories Examples of bugs and security vulnerabilities Why bugs occur Vulnerability lifecycle What to do? (for users and developers) Trustworthy computing development lifecycle

The paradox All software products contains security vulnerabilities (and other bugs) AV software is widely deployed to protect companies, organizations and home users Every week, security flaws are discovered in different AV products The paradox: Security software is meant to secure the system, but nowadays it introduces new security holes.

Types of security software Two different groups of security software: Home and business user software (widely used) Firewalls IPSec products IDS/IPS AV software Tools used by researchers (small deployment) IDA Pro OllyDbg Softice

CVE advisories for vendor products (2001 quarterly average = 100, Source: The Yankee Group) Microsoft / Security vendors / All vendors

Bug leading to a security vulnerability A couple of examples from the last months (advisory titles): ISS and the Witty Worm Trend Micro VSAPI ARJ parsing McAfee Virus Library Symantec Multiple Products UPX Parsing Engine Heap Overflow Computer Associates Vet Antivirus Library Remote Heap Overflow Kaspersky AntiVirus "klif.sys" Privilege Escalation Vulnerability OllyDbg "INT3 AT" Format String Vulnerability DataRescue IDA Pro Dynamic Link Library Format String Vulnerability Clam AntiVirus ClamAV Cabinet File Handling DoS Vulnerability

Bugs vs. security vulnerabilities Some more examples of the last months: Trend Micro Virus Sig 594 causes systems to experience high CPU utilization Windows NTFS Alternate Data Streams Archive Problems BitDefender bug bites GFI Panda AntiVirus deleting Tobit David communications software Symantec Brightmail AntiSpam Static Database Password McAfee Internet Security Suite 2005 Insecure File Permission

Why bugs occur: 3 main factors Technical factors The underlying complexity of the task itself Psychological factors The mental models, for example, that make it hard for human beings to design and implement secure software Real-world factors Economic and other social factors that work against security quality Source: Mark G. Graff, Kenneth R. van Wyk, Secure Coding: Principles & Practices, O'Reilly, 2003

Vulnerability lifecycle A never-ending story! 1. Discover vulnerability 2. Develop patch 3. Get alert and install patch 4. Goto 1 Source: Mark G. Graff, Kenneth R. van Wyk, Secure Coding: Principles & Practices, O'Reilly, 2003

What to do? (I) Corporate users: Update your products frequently! not only signature files in case of AV software, but really all components (e.g. engine, GUI)! Read publicly available information about newly discovered flaws and don t call the people first Try to shorten test intervals (months vs. weeks) for security vulnerability related updates Scan throughput is not the only important thing!

What to do? (II) Software developers: Check your old known-working code Check for updates of 3rd party software included in your products File format Sandbox (enforce protocol) Strategy to use minimal rights only whenever possible (do not use Administrator or Root rights) Create easy update deployment mechanisms

Trustworthy computing development lifecycle (I) Four principles of secure development: Secure by design Secure by default Secure in deployment Communications Source: Steve Lipner, Michael Howard, The Trustworthy Computing Security Development Lifecycle, Microsoft 2005

Trustworthy computing development lifecycle (II) Example (Microsoft s suggestions): Implementation phase: Apply coding and testing standards Apply security-testing tools including fuzzy logic Apply static analysis code scanning tools Conduct code reviews Source: Steve Lipner, Michael Howard, The Trustworthy Computing Security Development Lifecycle, Microsoft 2005

Summary Security vulnerabilities are an industry-wide problem Microsoft isn t the only target today anymore Every error could be security relevant when it happens in security software! Proactive actions (e.g. automated and manual code reviews, rewriting of code) has to be considered Implement several layers of security ( Sandbox ) Responsible way of updating: Update often, update early, not too often and not too early

Any questions? Are there any questions?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information