US security body the Sans Institute has urged businesses
and governments to use their purchasing power to persuade IT
suppliers to lock down the security of their software
applications.
The appeal follows research which revealed that computer systems
are now as much at risk from security vulnerabilities in commonly
used applications and network technology as they are from operating
systems (Computer Weekly, 22 November).
For the first time, more than a third of the Sans Institute's
list of the top 20 most serious vulnerabilities comprises
weaknesses in back-up software, anti-virus software and router
technology.
Instant messaging software, file sharing applications, and a
variety of web browsers also feature on the list for the first
time.
Over the past 12 months, hackers have shifted away from
attacking operating systems to exploiting these application
vulnerabilities, said Alan Paller, director of research at the Sans
Institute.
Although suppliers have well-established procedures in place to
automatically fix security vulnerabilities in operating systems,
patching procedures for applications are still in their infancy.
"It is like we have gone back six years in security," said
Paller.
Software suppliers have found it easy to duck the problem by
blaming poor security on users, said Paller. Their products may be
full of security vulnerabilities and difficult to patch, but when
things go wrong it is all too easy for suppliers to shift the
responsibility to users.
The problem is exemplified by the US government's cyber security
strategy, which Paller described as a failure. It was created in
the aftermath of the massive denial of service attacks launched
against eBay, Yahoo and others in February 2000. Some IT security
suppliers hijacked the meeting called by president Bill Clinton a
few days later, Paller said.
"They said let's go in there and tell the president that we as
an industry should handle this. The government has no role, they
told the president. But if you read the national policy, it relies
on the goodwill and good citizenship of software suppliers to
ensure the safety of a nation. Can that be right?"
The public would not accept this sort of tactic from suppliers
in any other field, said Paller, drawing an analogy with the car
industry. In that field, the public have a responsibility to drive
safely, but they should not be responsible for going out and
researching which type of seat belts they need to fit, or for
buying the right type of drill so that they can install them.
It is time for businesses and the government to fight back and
start demanding better security from suppliers, said Paller. The
best way to achieve this is not through regulation, but through
organisations using their buying power. Businesses and government
can use contracts to shift the responsibility for security back on
to suppliers.
Paller pointed to the US Airforce, which has begun specifying
standard builds of software to Microsoft and other suppliers in
orders covering more than 500,000 desktops. The standards cover
Windows 2003, Windows XP, SQL Server, Office, Internet Explorer and
Microsoft Exchange.
"They are asking for Internet Explorer to be configured in a
certain way, and to be kept that way with patches, so they do not
undo their security settings when they do a patch," said
Paller.
The US government is keeping a close eye on the project, which
will be rolled out and tested at four airforce bases between now
and January, and it is considering making the airforce programme
available across all government agencies. The exercise is also
being watched carefully by the UK and other governments.
If it succeeds, there is no reason why Microsoft should not make
fully secure builds of its products the norm, said Paller. "It
costs the same. There is no more labour in it, no more steel in
it," he said.
In the meantime, Paller believes that UK industries are well
placed to flex their buying power muscle. Businesses in vertical
sectors such as banking and finance already meet through forums run
by the National Infrastructure Security Co-ordination Centre
(NISCC). They could use their financial clout to shift the burden
of responsibility for keeping applications secure back to the
suppliers.
The Jericho Forum, whose members include chief security officers
from leading businesses is a good start, but vertical industry
groups are likely to have more power, said Paller.
The NISCC will do some helpful things, and the UK will benefit
from the outcome of the US Airforce project, he added.
"You have a much better mechanism than any other country in the
world. Once the supplier knows that all the major buyers are in it,
the supplier comes across instantly."
The oil industry, Paller said, could collaborate to insist that
plant equipment suppliers install anti-virus systems and automatic
security updates in their plant control equipment - an area of
security that is currently neglected.
By shifting the burden of responsibility back onto the supplier,
everyone wins, said Paller. Businesses do not have to worry that
they might break something if they patch a piece of equipment, and
suppliers earn extra revenue from offering a patching service.
Cross-platform security issues
Back-up software
Vulnerabilities discovered in back-up software can be exploited
to compromise systems running back-up servers and/or back-up
clients.
Anti-virus software
There has been a shift in focus to exploit security products
used by a large number of organisations. These include anti-virus
and personal firewall software. Gateway systems could also be
affected.
PHP-based applications
PHP is the most widely used scripting language for the web, and
problems are being reported constantly. According to some reports,
50% of the Apache servers worldwide have PHP installed.
Database software
Due to the valuable information they store, such as personal or
financial details, databases are often targeted. Since databases
are extremely complex, applications are normally made up of a
collection of programs, creating numerous vulnerabilities.
Domain Name System software
As the internet evolves, the DNS is becoming prone to attacks
that take advantage of trust, including cache poisoning, domain
hijacking, and man-in-the-middle redirection.
Media players
Vulnerabilities have been discovered in various media players.
Many allow a malicious web page or a media file to compromise a
user's system.
Instant messaging
Instant messaging applications are being used both for personal
and business purposes. They present an increasing security threat
to organisations.
File-sharing applications
Peer-to-peer file-sharing programs are used by a rapidly growing
user base. Most of these programs use a set of default ports, but
they can be set to use different ports to circumvent detection,
firewalls or egress filters.
Network products and routers
Cisco's IOS is by far the most common enterprise router and
switch operating system and enjoys a reputation for security and
robustness. However, research over the past year has revealed
several vulnerabilities that could result in denial of service
conditions or remote code execution vulnerabilities.
Mozilla and Firefox browsers
The open source Mozilla and Firefox browsers have emerged as
viable alternatives to Internet Explorer and have been steadily
gaining market share. With this increased usage, they have come
under greater scrutiny by security auditors and hackers alike.
Juniper Operating System
JunOS is Juniper's standard router operating system and the
second most common backbone internet router. CheckPoint and
Symantec systems such as virtual private networks and firewalls are
also widely deployed. During the past year vulnerabilities were
discovered in these products that could be exploited to reboot
Juniper routers and compromise the Symantec and CheckPoint
Firewall/VPN devices.
Source: Sans Institute