Looking at the nuts and bolts

MILIND JANBANDHU

back to issue

EVOLUTION of hardware and software for microprocessors over the past few decades has progressed steadily from 8-bit microprocessors to 64-bit microprocessors and from BBC micro, Spectrum, Sinclair to Windows 8, Macintosh 10.x, Linux/Unix running on these microprocessors. This is certainly a big achievement in terms of both hardware and software that we benefit from drawing upon the research of several academic institutes, organizations, and individuals. But, accompanying these advances, we have also seen an exponential increase in security risks and advanced attack methodologies.

Looking back, we can see factors such as lack of awareness, lack of resources, ignorance, software bugs and misconfigurations as key areas that we need to constantly address with technological advances.

In this article we will review some facts and the nuts and bolts that could help improve cyber security. So what is cyber security? Remember, we first had stand-alone computers, then we networked these computers and eventually connected these networks to the Internet. So, over the years the terminology used for security changed from computer security to IT security to cyber security. This means that we now need to see security from three aspects, i.e., how secure our computer is as a stand-alone machine, its security when connected to other computers in the local network, and when it is connected to an external network (Internet).

Large business, including the government and perhaps some academic institutions, have the resources for implementing security solutions, which generally is less true for home users and small business who are unable to keep up with the advances in technology to protect their environment. As a result, they are at higher risk, providing a fertile ground for hackers to launch sophisticated attacks on large business.

The home users, specifically in countries where Internet access is expensive or communication speed is low, are not aware of the importance of keeping the software up to date as they are oblivious about security. From a common persons perspective, this seems to be an acceptable risk. If the computer stops working or slows down, it can be reimaged or new software installed at little or no cost, and the loss of data is of little concern to many individuals.

Small business often use security devices and software security products such as a firewall device, anti-virus software and at times intrusion detection and prevention devices. They rely on the experience of their staff, local experts and the vendors to secure their machines. But they often lack routine security validation of their environment and effectiveness of their security solution. As a result, small business is not aware of the security weaknesses introduced in their environment over time. For example, they are not aware of new applications that have been installed with default or easily guessable passwords, whether the firewall rules are up to date and locked down, or whether undesired applications have been installed (P2P), among other aspects.

 

Large business, including government and academic institutions, usually implement good security solutions depending upon their business models/requirements, which may consist of firewalls, proxy servers, VPN, IDS/IPS etc. They generally incorporate the best industry practices and would have developed policies, standards, processes and procedures to address security within the organization. However, the security requirements are very diverse between large organizations mainly due to the nature of their business and the regulations that they need to fulfil. Often, security takes a back seat due to a lack of understanding of security given the business leads and deadlines, and business decisions that introduce security weaknesses. Business accepts the risk to achieve deadlines, which introduce security holes that remain unaddressed over long periods.

Some organizations continue to use an older technology with inherent security risks. Such technologies may coexist on the local network along with newer technologies, thereby increasing the risk. For example, a manufacturing company is likely to be more concerned about the availability of their robots for manufacturing and delivery of products rather than with upgrading the old operating system that’s running the robot. Such business decisions are made by many large organizations that could result in a breach of security and damage their reputation. The above facts are based on common issues observed over the years and I plan to provide the metrics later.

Let us take a look at various vendors who provide us with software and estimate how many vulnerabilities are being introduced by them each year. These metrics are easily available over the internet as the software vulnerabilities are monitored by several organizations. I use the National Vulnerability Database (NVD) to generate some facts. Figure 1 shows the number of software vulnerabilities introduced by some of the major vendors.

One finds that the general trend of software vulnerabilities has increased inspite of efforts by vendors. Nevertheless, from an over-time perspective, the numbers of vulnerabilities in year 2000 were far less than in year 2012. Figure 2 shows the general trend over the years for these vendors. Please note that this data is current till end of Aug 2013.

However, if one compares the yearly contribution of vulnerabilities by selected vendors (total seven vendors) with all the vulnerabilities released during the year, one finds that they have introduced about 40% of the total vulnerabilities to date (August 2013) and the numbers are rising. Refer Figure 3 for details.

Figure 4 shows the number of major vulnerabilities observed since 2010 for some of the identified vulnerabilities, and Figure 5 shows the total number of vulnerabilities as compared to the total of the selected vulnerabilities for each year. All of the accompanying figures show that greater effort is required by the major vendors to provide us with more robust software by improving their development and testing approach.

FIGURE 1

 

FIGURE 2

 

FIGURE 3

 

FIGURE 4

 

FIGURE 5

 

Let us now take a look at the risks due to virus, malware, rootkits, bots, trojans and so on that have been groomed as a result of vulnerabilities in software, how we use it or have implemented it, as it would be inappropriate to state that the risks have been introduced by the software alone. For example, if we go to a malicious site and install software, we will very likely be running untrusted software; if we configure an Internet facing server with a default administrator password, then anyone can log into and install untrusted software.

 

In the early days, virus propagation was through floppies and the main characteristics of these viruses, among others, was to perform disruptive or destructive activities such as erase the hard drive or make it unusable, and distort or wipe away characters on the screen. These viruses then evolved from hiding in the hard drive boot sectors to infiltrating programmes and the operating system itself. The main characteristics of the viruses also changed from merely causing damage by gaining and retaining access to the computer. And with this came the objective of stealing information such as banking information, personal information, credit card numbers, passwords etc. This access also enabled hackers to launch attacks and gain similar control over other computers.

And as the number of infected computers increased, the hackers developed mechanisms to monitor, update and control them remotely. These types of viruses are termed bots, and they deploy various and perhaps all of the techniques of evasion from antivirus operating system, users and processes etc, and are controlled through command and control (C&C) servers. Some of the bots, such as QAKBOT, were targeted at corporates and had built in features to determine if the user was a corporate user, and if not, to simply exit.

 

Without going into the specifics of the various types of virus and malware, let us take a quick look at the status of bots and the number of C&C servers around the world. Hourly statistics are available through shadowserver.org Refer to Figure 6 for C&C servers around for world for the last two years and Figure 7 for the number of infected servers Controlled by the C&C servers. These graphs show that the C&C servers have decreased since March-April 2012 and the numbers of infected servers have also reduced over the past three years.

FIGURE 6

 

FIGURE 7

If we compare these statistics with Microsoft Security Intelligence reports (Vol. 14) based on the Microsoft Software Removal Tool (MSRT), we find that the number of infected computers that have been cleaned by the MSRT shows a decline that could be considered a good sign. However, there is still a big gap that needs to be reduced. Microsoft reports for 2013 are not available. The reports are of great value and provide good information. More frequent reports or perhaps online hourly status will be more beneficial.

 

One can review such statistics from other vendors as well. The vendor websites of the security products and services also provide valuable information. However, some websites, such as the following would provide good information that may help us improve cyber security – http://www. us-cert.gov/ http://www.first. org/ http://www.nist.org/http://iase.disa. mil/stigs/index.html And lastly, if one is a small business or a home user looking for tools/products that could help protect or keep your computer clean, it is worth reviewing the following:

1. To remove virus or bots from the computer, there are several tools, such as ‘Microsoft Safety Scanner’ from the Microsoft website or the virus specific removal tools from the AV Vendor websites such as McAfee, Norton etc. These are provided free and if one were to search for similar tools on the Internet, one will find several other products. It is suggested that one use such tools with care and download them only from reputable vendors.

2. If your computer is used by everyone in the family, it is advisable to block certain sites such as adult sites. I suggest you to review the ‘K9’ product from the Bluecoat to help protect yourself and young ones. This is free for personal use.

FIGURE 8

 

3. If you wish to protect your networked computers, you may wish to take a look at ‘Untangle’. One needs a low budget computer with a minimum of two network interfaces that can help protect all your computers from phishing, intrusion, spam mails etc. This is free for personal use too.

Try and answer some questions:

(i) What antivirus software are you running; is it up to date with signatures and its version?

(ii) What firewall is installed, is it active, do you know what rules are acceptable, and when did you last review the rules?

(iii) Is your wifi connection secured? How? Do you know the password or how to configure it? Is the guest network protected?

(iv) Are there any devices installed on your network that are accessible over Internet? Have you configured the firewall/DMZ or the ports correctly?

(v) Is intrusion detection/prevention implemented either on your computers or in the network? Are there any B2B VPN connections (business users should answer this)?

(vi) Are all your computers/servers/laptops patched? How often are they patched? How do you know they are patched?

(vii) Are you aware if any intruder/hacker has access to your server/computer? Are you sure? How do you know?

 

If you have difficulty in answering any of the above questions or are not sure what your answer should be, please make a note to update yourself and to understand what needs to be done to close the gaps. Understanding of security concepts is highly recommended for those who have not been able to answer more than 50% of the questions with confidence.

top