The public safety community is coming increasingly under attack as hackers find more innovative methods to invade wired and wireless networks.
Fraud, identity theft, and system repair downtime, as well as both regulatory and legal fines, are all intolerable impediments associated with these threats.
Cyber criminals are constantly scanning IP addresses looking for vulnerabilities that can be exploited. The goal of attackers is no longer just simple acts of site defacement for media attention. Symantec reported in its 2008 Global Internet Security Threat Report that site-specific XSS vulnerabilities increased by 61%, but the average patch development time was 52 days, which further demonstrates how patch development is struggling to keep pace with the number of vulnerabilities being found. The new breed of exploit is designed to service organized crime rather than to simply embarrass an organization. These exploits are designed to work silently gathering data and to go undetected while carrying out their goals silently on the systems of unsuspecting victims. The increasing sophistication of these exploits has left network administrators struggling to keep up with the rapid pace of change. In addition, businesses continue to face the devastating legal and financial repercussions of data theft from data breaches.
The number of discovered vulnerabilities continues to increase rapidly. As of September 2009, the National Institute of Standards and Technology (NIST) reported nearly 37,000 known CVE vulnerabilities as part of the National Vulnerability Database (NVD), which is nearly an eightfold increase from the 4,500 vulnerabilities reported five years earlier in 2004. The CVE publication rate is 20 new vulnerabilities per day. But it is not just the sheer number of vulnerabilities that is worrisome; it is also the speed at which the vulnerabilities are now being successfully exploited even when a vendor patch is available.
For example, Microsoft released an emergency out-of-band patch on Oct. 23, 2008, to address a particular Microsoft Windows operating system network service vulnerability (MS08-067). However, many network administrators failed to patch their systems in a timely manner, so a large number of Windows PCs remained unpatched and fell victim to the first variant of the Conficker worm detected in November 2008. The Conficker worm was designed to propagate through the Internet by exploiting the vulnerability that could have been easily patched with MS08-067. By January 2009, more than 7 million government, business and home computers in over 200 countries were under the control of one of the many variants of Conficker. The ability of Conficker to combine many advanced malware techniques allowed it to spread quickly into what is now believed to be the one of the largest computer worm infections in history. The rapid spread of Conficker, even when a vendor security patch was already available, demonstrates the challenge that security managers face in keeping their systems up-to-date as part of ongoing vulnerability management programs. Without a systematic process to detect, prioritize, delegate and effectively remediate vulnerabilities, enterprises will continue to suffer from successful attacks.
Firewalls, antivirus software, intrusion detection systems (IDS) and other security products can give IT administrators a false sense of security that leads them to believe they are shielded from intrusion. Web-based attacks that target Web and database servers can bypass firewalls and virus scanners using techniques such as SQL injection and buffer overflow opportunities.
Laptops that employees move from network to network are especially vulnerable to exploits that can enter the organization’s environment and can be the catalyst for exploits entering the corporate network. Intrusion detection systems are installed at the network perimeter but don’t usually detect internally generated threats. Those that can are often unable to stop the offending machine from infecting other machines as they do not control the routers operating on the internal segments. With all these varying security threats, how does an enterprise secure its environment and ensure that the level of risk to its corporate assets is reduced? Protecting Organizations
Over the past few years, the number and variety of network and system security tools has grown substantially. While some of these tools may be sufficient to address specific security concerns, the majority of these solutions are simply inadequate for protecting IT infrastructures. In any organization, centralized security practices and policies ensure corporate-wide network availability, integrity and confidentiality. A formalized and centralized vulnerability management process that identifies and tests for policy violations is a required component in proactively securing network assets.
Many vulnerability assessment and remediation initiatives fail. Disparate scan results on hundreds of systems yield thousands of identified vulnerabilities, challenging IT managers’ efforts to effectively consolidate network information, eliminate false positives, and efficiently delegate remediation tasks to their administrators.
The U.S. Computer Emergency Readiness Team (US-CERT) has reported that nearly 99% of all intrusions result from exploitation of known vulnerabilities or common configuration errors. In addition, 90% of all Internet attacks are imitations. Therefore, network intrusions can be essentially avoided if companies take the initiative to follow a strict policy of performing regular vulnerability assessment and proactive remediation across the entire enterprise. The Rapid7 Solution
Rapid7’s flagship product, NeXpose Enterprise, is a vulnerability assessment, policy compliance and remediation management solution designed for organizations with large networks that require the highest levels of scalability, performance, customizability and deployment flexibility.
Until now, organizations have been required to buy multiple products to audit their networks and operating systems, Web servers and Web applications, and databases which resulted in separate reports that needed to somehow be consolidated in order to identify which systems were the highest risk to the organization. The complexity of today’s IT environments requires vulnerability assessment to be taken to a new level.
NeXpose provides complete coverage for all systems, software and devices in an IT environment, including: Web Application Security: Scans the Web application server and all Web applications for serious threats to your environment, such as SQL injection and cross-site scripting; Database Security: Identifies issues and compliance violations by comprehensively scanning your databases for vulnerabilities; Network Security: Ensures all systems and network devices have been properly tested for vulnerabilities and mis-configurations to minimize security risks; Penetration Testing: Identifies and mitigates exploitable security threats in agencies’ IT environments.
Designed to minimize the time spent eliminating an organization’s security vulnerabilities, NeXpose Enterprise provides comprehensive vulnerability management and risk reporting, allowing the broadest asset protection possible.
Vulnerabilities exist at many layers in the computing world. NeXpose tests multiple layers because failing to do so can result in a secure Web server being lifted in its entirety through your database access mechanism. There are any number of additional scenarios in which access to one system can grant access to another.
To provide complete coverage of wired and wireless network security, NeXpose Enterprise is complemented by wireless scanning and compliance solutions from vendors such as AirTight Networks, which can identify both current and potential wireless threats in networks and map those back to specific regulatory requirements. Network and OS Layer
The first step in securing any IT environment is to ensure all systems and network devices have been properly audited and exposures eliminated. Starting with firewalls, there are two classes of vulnerability—mis-configuration and firmware bugs—that can allow entry to non-authorized users. Most firewall vendors have a list of patches that should be used to bring a firewall up to date. NeXpose examines the firewall and determines whether the firmware revisions are current. If the current code is not running, NeXpose looks up the vulnerabilities known to be available within the running operating environment and exercises those to access systems behind the firewall.
Misconfiguration can allow access to systems not authorized to be accessed; TCP port pings using port 80 are an example of this. If the firewall doesn’t drop all packets on port 80 except to the Web server, then the existence of a system and quite likely what operating system it is running will be exposed. The expert system in NeXpose can use the information discovered in this scan mechanism to drive vulnerability testing of the discovered device. There are more than 70 vulnerability tests against Cisco firewalls alone. NeXpose users can use the external scanning engine to schedule penetration tests of their external environment to understand the access granted to anonymous users. Operating System Layer
The operating system (OS) is the most critical component that needs to be prevented from attack. Access to an OS allows for the removal of anything on the device. Even if data is encrypted, its removal and the potential for offsite analysis requires appropriate OS controls.
Unfortunately there are countless ways of accessing the operating system. Not only does the OS provide its own access mechanisms, such as remote access, RPC, CIFS and SAMBA, but higher level applications may have vulnerabilities that allow access to the operating system as well. For example, the undocumented Extended Stored Procedure named ìxp_regreadî which comes with Microsoft SQL Server can be used to read any registry entry. Anything that opens a port has the potential to provide access.
NeXpose scans Windows, Linux, Sun and Mac Operating Systems for over 6,000 vulnerabilities, as well as thousands more at the application layer to report vulnerabilities. The risk scores associated with an operating system are ranked according to the likelihood with which a system compromise will occur.
In most cases, access to a system is an ordered and normal state of affairs. To provide auditing capabilities as to what is accessible by whom, NeXpose also tests security policies. For Windows systems, NeXpose uses the Windows Group Policy Object files created by the security policy editor. NeXpose also tests Unix and Linux systems for policy violations such as guessable passwords, file permissions and system account access.
Most vulnerability assessment scanners take a singular approach to scans by only looking at one aspect of an agency’s overall IT infrastructure. NeXpose enables organizations to audit their networks, track open vulnerabilities through resolution, and ensure policy compliance. Bernd Leger is the senior director of marketing at Rapid7. He can be reached at Bernd_Leger@rapid7.com.