three high points for CERT security presentation at SDSC...

Barbara Fraser from CERT was in san diego today and gave a presentation on CERT and trends in security. since her laptop fried, it was more a discussion than a presentation. three big messages i got:

1. downstream liability - you and your clients are liable for attacks launched off of your machines and networks. you can be sued if your security weakness allowed someone to launch an attack via your server or network upon a third party. there is an effort to pass 'good samaritan' legislation for security -- similar to the legislation for Y2K that says you should make every effort to prepare and prevent Y2K problems, document it, share what you learn, and are then supposedly not sue-able for Y2K problems. but at the moment, YOU are liable.
2. security service - we have talked on and off about offering a security audit service. the Internet Engineering Task Force is writing a document with suggested standards for this kind of service, and questions that customers of security audit services should ask. the draft document or RFC is available somewhere under the abyss of www.ietf.org.
3. rfp's - the speaker pointed out that a lot of security crises postmortem shows that there was no specification of any sort for security when the network/computers were setup. she suggests that all rfp's you author include specific security provisions to ensure security and prevent finger-pointing in the event that your security is compromised. CERT/ietf is writing up advice on this -- i believe it is also an ietf working draft or rfc and is available online.

some little notes of interest

• CERT protects your confidentiality if you report a security issue. your company name will not be broadcast or named in any security alerts. other computer security incident response groups - IBM, major ISPs, other countries -- have different policies about confidentialiity - so check the policy before you share your exploit info.
• on the whole, ISP's and telco's are quite hackable and are big targets. if you have sensitive information to protect, ENCRYPT it, do not assume that the dedicated leased line you bought from an ISP is secure. in one example she revealed that a national ISP had over 2/3 of its traffic sniffed for an unknown period of months and, when it learned of the problem, neglected to inform its customers. in other words, the ISP solved its own problem, but the crackers still had thousands of still-valid passwords and other access to customer data because the ISP was unwilling to inform their customers.
• in 70-80% of CERT incidents, the site learns from CERT that they were cracked. ( i feel better :-) we caught one and were notified of one).
• she showed a curve of exploit development - the slope up has advanced crackers devising an exploit, they release their rough hack which is picked up by capable crackers who further develop it. at this point CERT tries to devise an interim solution and posts a CERT alert. within HOURS after most CERT bulletins, there are automated scripts and tools available for any 12-year-old to wardial the net and help themselves to vulnerable computers. the curve peaks here - i thought the scale of her chart was spread over months or weeks - she clarified -- simply a matter of hours. the punchline is vendor security patches...
• if vendors patch an exploit, they are on the waning tail of the exploit lifecycle: if and when the media pick up and publish the embarrasing exploit, the vendor fixes it, but only the symptom, not necessarily the underlying weakness. she went on to acknowledge the open-source os's with security auditing projects - linux and one bsd derivative - who make an ongoing effort to solve security problems at every level.
• recommended strategy - perfect security is impossible. you should create scenarios of attackers you need to defend against and budget to protect at that level. for example, you may need to budget to defend against script kiddies with pentium computers and dialup modems (that's their resources to hack you with - 1 pc, 1 modem, and 1 script they got off the net, that you can get too), but probably do not need to budget to defend your information against the resources of the FBI/NSC or foreign governments.
• for san diego area people, the 3rd wednesday of each month, the SDSC hosts a meeting with law enforcement (fbi, secret service, local police) and local system administrators to talk about the cracks of the week. the next meeting is 2pm in the supercomputer center tomorrow if anyone desires to go.