three high points for CERT security presentation at SDSC...
Barbara Fraser from CERT was in san diego today and gave a presentation
on CERT and trends in security. since her laptop fried, it was more a
discussion than a presentation. three big messages i got:
- downstream liability - you and your clients are liable for
attacks launched off of your machines and networks. you can be sued if your
security weakness allowed someone to launch an attack via your server or
network upon a third party. there is an effort to pass 'good samaritan'
legislation for security -- similar to the legislation for Y2K that says you
should make every effort to prepare and prevent Y2K problems, document it,
share what you learn, and are then supposedly not sue-able for Y2K problems.
but at the moment, YOU are liable.
- security service - we have talked on and off about offering a
security audit service. the Internet Engineering Task Force is writing a
document with suggested standards for this kind of service, and questions
that customers of security audit services should ask. the draft document or
RFC is available somewhere under the abyss of www.ietf.org.
- rfp's - the speaker pointed out that a lot of security crises
postmortem shows that there was no specification of any sort for security
when the network/computers were setup. she suggests that all rfp's you
author include specific security provisions to ensure security and prevent
finger-pointing in the event that your security is compromised. CERT/ietf is
writing up advice on this -- i believe it is also an ietf working draft or
rfc and is available online.
some little notes of interest
- CERT protects your confidentiality if you report a security issue.
your company name will not be broadcast or named in any security alerts.
other computer security incident response groups - IBM, major ISPs,
other countries -- have different policies about confidentialiity - so
check the policy before you share your exploit info.
- on the whole, ISP's and telco's are quite hackable and are big
targets. if you have sensitive information to protect, ENCRYPT it, do
not assume that the dedicated leased line you bought from an ISP is
secure. in one example she revealed that a national ISP had over 2/3 of
its traffic sniffed for an unknown period of months and, when it learned
of the problem, neglected to inform its customers. in other words, the
ISP solved its own problem, but the crackers still had thousands of
still-valid passwords and other access to customer data because the ISP
was unwilling to inform their customers.
- in 70-80% of CERT incidents, the site learns from CERT that they were
cracked. ( i feel better :-) we caught one and were notified of one).
- she showed a curve of exploit development - the slope up has advanced
crackers devising an exploit, they release their rough hack which is
picked up by capable crackers who further develop it. at this point CERT
tries to devise an interim solution and posts a CERT alert. within HOURS
after most CERT bulletins, there are automated scripts and tools
available for any 12-year-old to wardial the net and help themselves to
vulnerable computers. the curve peaks here - i thought the scale of her
chart was spread over months or weeks - she clarified -- simply a matter
of hours. the punchline is vendor security patches...
- if vendors patch an exploit, they are on the waning tail of the
exploit lifecycle: if and when the media pick up and publish the
embarrasing exploit, the vendor fixes it, but only the symptom, not
necessarily the underlying weakness. she went on to acknowledge the
open-source os's with security auditing projects - linux and one bsd
derivative - who make an ongoing effort to solve security problems at
- recommended strategy - perfect security is impossible. you should
create scenarios of attackers you need to defend against and budget to
protect at that level. for example, you may need to budget to defend
against script kiddies with pentium computers and dialup modems (that's
their resources to hack you with - 1 pc, 1 modem, and 1 script they got
off the net, that you can get too), but probably do not need to budget
to defend your information against the resources of the FBI/NSC or
- for san diego area people, the 3rd wednesday of each month, the SDSC
hosts a meeting with law enforcement (fbi, secret service, local police)
and local system administrators to talk about the cracks of the week.
the next meeting is 2pm in the supercomputer center tomorrow if anyone
desires to go.