US security body the Sans Institute has urged businesses and governments to use their purchasing power to persuade IT suppliers to lock down the security of their software applications.
The appeal follows research which revealed that computer systems are now as much at risk from security vulnerabilities in commonly used applications and network technology as they are from operating systems (Computer Weekly, 22 November).
For the first time, more than a third of the Sans Institute's list of the top 20 most serious vulnerabilities comprises weaknesses in back-up software, anti-virus software and router technology.
Instant messaging software, file sharing applications, and a variety of web browsers also feature on the list for the first time.
Over the past 12 months, hackers have shifted away from attacking operating systems to exploiting these application vulnerabilities, said Alan Paller, director of research at the Sans Institute.
Although suppliers have well-established procedures in place to automatically fix security vulnerabilities in operating systems, patching procedures for applications are still in their infancy. "It is like we have gone back six years in security," said Paller.
Software suppliers have found it easy to duck the problem by blaming poor security on users, said Paller. Their products may be full of security vulnerabilities and difficult to patch, but when things go wrong it is all too easy for suppliers to shift the responsibility to users.
The problem is exemplified by the US government's cyber security strategy, which Paller described as a failure. It was created in the aftermath of the massive denial of service attacks launched against eBay, Yahoo and others in February 2000. Some IT security suppliers hijacked the meeting called by president Bill Clinton a few days later, Paller said.
"They said let's go in there and tell the president that we as an industry should handle this. The government has no role, they told the president. But if you read the national policy, it relies on the goodwill and good citizenship of software suppliers to ensure the safety of a nation. Can that be right?"
The public would not accept this sort of tactic from suppliers in any other field, said Paller, drawing an analogy with the car industry. In that field, the public have a responsibility to drive safely, but they should not be responsible for going out and researching which type of seat belts they need to fit, or for buying the right type of drill so that they can install them.
It is time for businesses and the government to fight back and start demanding better security from suppliers, said Paller. The best way to achieve this is not through regulation, but through organisations using their buying power. Businesses and government can use contracts to shift the responsibility for security back on to suppliers.
Paller pointed to the US Airforce, which has begun specifying standard builds of software to Microsoft and other suppliers in orders covering more than 500,000 desktops. The standards cover Windows 2003, Windows XP, SQL Server, Office, Internet Explorer and Microsoft Exchange.
"They are asking for Internet Explorer to be configured in a certain way, and to be kept that way with patches, so they do not undo their security settings when they do a patch," said Paller.
The US government is keeping a close eye on the project, which will be rolled out and tested at four airforce bases between now and January, and it is considering making the airforce programme available across all government agencies. The exercise is also being watched carefully by the UK and other governments.
If it succeeds, there is no reason why Microsoft should not make fully secure builds of its products the norm, said Paller. "It costs the same. There is no more labour in it, no more steel in it," he said.
In the meantime, Paller believes that UK industries are well placed to flex their buying power muscle. Businesses in vertical sectors such as banking and finance already meet through forums run by the National Infrastructure Security Co-ordination Centre (NISCC). They could use their financial clout to shift the burden of responsibility for keeping applications secure back to the suppliers.
The Jericho Forum, whose members include chief security officers from leading businesses is a good start, but vertical industry groups are likely to have more power, said Paller.
The NISCC will do some helpful things, and the UK will benefit from the outcome of the US Airforce project, he added.
"You have a much better mechanism than any other country in the world. Once the supplier knows that all the major buyers are in it, the supplier comes across instantly."
The oil industry, Paller said, could collaborate to insist that plant equipment suppliers install anti-virus systems and automatic security updates in their plant control equipment - an area of security that is currently neglected.
By shifting the burden of responsibility back onto the supplier, everyone wins, said Paller. Businesses do not have to worry that they might break something if they patch a piece of equipment, and suppliers earn extra revenue from offering a patching service.
Cross-platform security issues
Vulnerabilities discovered in back-up software can be exploited to compromise systems running back-up servers and/or back-up clients.
There has been a shift in focus to exploit security products used by a large number of organisations. These include anti-virus and personal firewall software. Gateway systems could also be affected.
PHP is the most widely used scripting language for the web, and problems are being reported constantly. According to some reports, 50% of the Apache servers worldwide have PHP installed.
Due to the valuable information they store, such as personal or financial details, databases are often targeted. Since databases are extremely complex, applications are normally made up of a collection of programs, creating numerous vulnerabilities.
Domain Name System software
As the internet evolves, the DNS is becoming prone to attacks that take advantage of trust, including cache poisoning, domain hijacking, and man-in-the-middle redirection.
Vulnerabilities have been discovered in various media players. Many allow a malicious web page or a media file to compromise a user's system.
Instant messaging applications are being used both for personal and business purposes. They present an increasing security threat to organisations.
Peer-to-peer file-sharing programs are used by a rapidly growing user base. Most of these programs use a set of default ports, but they can be set to use different ports to circumvent detection, firewalls or egress filters.
Network products and routers
Cisco's IOS is by far the most common enterprise router and switch operating system and enjoys a reputation for security and robustness. However, research over the past year has revealed several vulnerabilities that could result in denial of service conditions or remote code execution vulnerabilities.
Mozilla and Firefox browsers
The open source Mozilla and Firefox browsers have emerged as viable alternatives to Internet Explorer and have been steadily gaining market share. With this increased usage, they have come under greater scrutiny by security auditors and hackers alike.
Juniper Operating System
JunOS is Juniper's standard router operating system and the second most common backbone internet router. CheckPoint and Symantec systems such as virtual private networks and firewalls are also widely deployed. During the past year vulnerabilities were discovered in these products that could be exploited to reboot Juniper routers and compromise the Symantec and CheckPoint Firewall/VPN devices.
Source: Sans Institute
This was first published in November 2005