Independent Security Consultant
Proactive vs. Reactive Security
Most security professionals are aware of the two basic approaches used to deal with security vulnerabilities: proactive and reactive. Proactive approaches include all measures that are taken with the goal of preventing host-based or network-based attacks from successfully compromising systems. Reactive approaches are those procedures that organizations use once they discover that some of their systems have been compromised by an intruder or attack program (e.g., Code Red or Nimda).
Every modern organization realizes the value of dedicating some resources to the prevention of expensive damages that will likely occur if such preventive measures are not taken. Banks use thick steel and concrete vaults with advanced electronic systems to prevent and detect break-ins. Many companies, from convenience stores to casinos, use cameras to record business activities, the idea being that cameras both deter theft and help identify perpetrators when thefts do occur. Some organizations have started using Intrusion Detection and Response Systems (IDRSes) to try to detect computer intrusions and then activate defensive measures when an attack is detected. All of these examples represent proactive approaches to securing a company's infrastructure.
Just as every company takes some measures to prevent future business losses, each also has plans in place to respond to such losses when the proactive measures either were not effective, or did not exist. Reactive methods include Disaster Recovery Plans, use of private investigation services and loss recovery specialists, reinstallation of operating systems and applications on compromised systems, or switching to alternate systems in other locations. Having an appropriate set of reactive responses prepared and ready to implement is just as important as having proactive measures in place.
A difficult set of decisions needs to be made in deciding how much resources (time, money, people) to dedicate to proactive approaches and how much to reactive approaches. These decisions can be further complicated by decisions about whether to use in-house resources, or to outsource. The remainder of this paper discusses these issues and focuses specifically on computer and network technologies.
Proactive and Reactive Approaches for Networked Companies
Richard Pethia, the director of the CERT Coordination Center at Carnegie Mellon University, recently stated, "Today's commercial off-the-shelf [software] technology is riddled with holes. The sheer number of vulnerabilities is overwhelming organizations." Pethia is referring to several examples in the recent past. These include vulnerabilities that allowed viruses and worms (hereafter referred to as malware) and other manual and automated attacks to inflict damages costing hundreds of millions of dollars per occurrence. Specific examples are: LoveLetter, a worm that severely clogged mail servers and networks in 2000^; Code Red, an aggressive worm that attacked unpatched Microsoft web servers and defaced their main pages^; and most recently, Nimda, a worm that spread by several different methods including email and web protocols, and searched for as many as 16 separate vulnerabilities to attack.
Add to those examples the recent Distributed Denial of Service (DDOS) attacks, less serious but still expensive virus attacks, exploits directed at unpatched popular firewalls (e.g., Check Point, Cisco Pix), buffer overflows, directory traversal and other more obscure attacks against web servers, and the scope of the problem starts to become quite clear. Since it is unlikely that most software will improve significantly from the state Pethia describes ("riddled with holes"), the only possible approaches are to: 1) repair the holes as soon as vendors confirm vulnerabilities and release patches, and 2) be prepared to respond to successful attacks against systems that have not yet been patched.
Although not all system vulnerabilities are the result of exploitable software flaws, most of them are. Ronald Dick, chief of the National Infrastructure Protection Center (NIPC, a division of the FBI), stated that about 80% of the issues the NIPC responds to could have been prevented if system administrators had been able to "download a patch and repair their systems." Other sources of system vulnerabilities include misconfigurations, poorly trained staff, unexpected interactions between systems, stolen or improperly protected passwords, or even hardware failures.
There are two extremely important conclusions that may be drawn from the above discussion. The first is that regular patching of systems is the single most important thing an organization can do to help defend itself against network attacks. The second conclusion is that even the most aggressive, comprehensive approach to patching systems and keeping virus definition files up to date is not going to prevent every network attacker from successfully penetrating a company's network and inflicting damages. Therefore, organizations that want to be well defended against network attacks need to employ an optimal mix of proactive and reactive approaches.
Specific Proactive Methodologies
The single most important thing an organization can do to defend itself against network attacks and malware is to patch vulnerable systems. This task isn't nearly as easy as it sounds. Even medium-sized companies can have thousands of computers. Large companies can own tens of thousands of systems, running multiple operating systems and applications from several different vendors on systems located in dozens of locations.
Although the size of the task can be daunting, reasonable approaches can still be developed and - if senior management provides enough resources - implemented. The support of senior management is crucial, because without it there will simply never be enough money, staff or time to implement more than a minimally reactive and ultimately expensive strategy.
So what are the elements of an effective patching strategy? All of the following are important:
After installing a new system, install all recommended vendor security patches. Most vendors maintain a website that provides the necessary information. Be sure to apply patches to all third-party applications (e.g., web servers, mail servers) in addition to patching the operating system.
Subscribe to security-related email lists from vendors. Most major software vendors offer these subscriptions for free. Apply patches when recommended.
Subscribe to the CERT mailing list, accessible at http://www.cert.org. Apply patches as recommended.
Ensure that all Microsoft and Macintosh computers are running recent antivirus software and that automated processes are running to regularly update the virus definitions. It is particularly important that antivirus software be regularly updated on portable computers used by mobile workers. These staff members frequently connect to unprotected networks where the chances of a virus infection are higher than on their corporate LAN.
Maintain a database that keeps track of what patches have been applied to the organization's most important systems: the Internet-accessible systems, firewalls, internal routers, databases and back office servers. If time and money are available, expand this database to include all company systems: both desktops and notebooks.
Patching systems is a crucial part of a proactive strategy to defend against network attacks. However, there are other techniques that, when combined with patching, provide an even more effective defense. Two of these techniques are discussed below.
Automated Vulnerability Assessment
Even aggressive patching does not "immunize" systems against all network attacks. Some attackers focus on common misconfigurations or even mistakes that no amount of patching would counteract. In other cases, attackers may have identified vulnerabilities but vendors have yet to release a patch. Unless these additional vulnerabilities are discovered and addressed, they can be exploited through manual or automated attacks and cause very significant network damages.
The basic idea of automated vulnerability assessment is that one uses a program, or better yet, several programs, that are able to systematically scan remote systems and networks and identify security vulnerabilities. These programs can be very effective at discovering previously unknown system vulnerabilities. In fact, attackers use tools very similar to these to identify exposed vulnerabilities in their targets.
There are several sources of such programs today. Examples include: Nessus, SAINT, nmap, ISS, CyberCop, and BindView. Unfortunately, it can be difficult to use these programs. The programs themselves can be complex and not easy to configure^; the results can be difficult to interpret^; the programs themselves need to be regularly updated so they can scan for recently discovered vulnerabilities^; it can be difficult to find a place on the company network that truly represents an "Internet view" of the company network^; and also, any company staff member who performs vulnerability scans using these tools has an insider's knowledge of the network and may therefore overlook (or be forced to skip) systems that a hacker would focus on.
The recommended approach to automated network vulnerability assessment is to outsource. In practice this means hiring an outside company to perform the network scanning and then prepare a well-documented report (containing specific details on how to fix any detected vulnerabilities). Most of the Big 5 accounting firms offer this kind of service, but the price is high, and they often want to bundle many other services with a network security scan.
One of the best independent companies that offers network vulnerability scanning services is VIGILANTe. Their scanning service includes not only many tools they have developed themselves, but several other commercial and shareware tools like Nessus, CyberCop, nmap, and ISS. Their flagship scanning service, SecureScan NX, scans a network internally as well as externally.
When using an outsourced scanning service, it's important to have the scans performed at regular intervals. This is not just a one-time thing. Every company needs to decide on a "scan frequency" - how often to have the networks scanned for vulnerabilities. Once every 90 days is suggested as a reasonable minimum scan rate.
Regular vulnerability scanning along with diligent system patching can go a long way to providing a highly effective defense against system attackers.
Independent Security Audit
An important additional measure that organizations can take in order to create an even higher level of network security is to engage the services of a professional security consulting company. There are many companies that offer on-site consulting services, including all of the Big 5 accounting firms, and Vigilinx, @stake, Foundstone and lots of independent professional security auditors.
The advantage of an independent security audit is that when experienced security consultants visit a company and interview critical staff members, they can discover critical weaknesses in security processes (or, indeed, the lack of such processes). Independent security assessments also involve the use of manual and automated security tools. A complete report is delivered at the end of the audit.
A Security Policy
No discussion on proactive security would be complete without mentioning the security policy. While there are many topics that should be covered in such a policy, one of the most important concerns staff member use of computers and networks. Unless employees are given specific details on what is and is not permitted, they may inadvertently introduce a virus or worm into the network, or otherwise cause significant damage to system infrastructure.
A good source of information for companies wanting to improve their security policies may be found at: http://www.ietf.org/rfc/rfc2196.txt
Although the title of this article is "Proactive Versus Reactive Security," the two approaches are really not mutually exclusive. Every organization needs to be prepared for successful attacks (also know as intrusions), virus and worm outbreaks, denial of service attacks, and even attacks by disgruntled employees with an insider's knowledge of the systems and networks. Given today's geopolitical environment, it has become critical for every organization to have a workable Disaster Recovery Plan (DRP) as well.
Of all the "bad things" that can happen on a company's networks, the most common and most expensive (historically) is the virus/worm outbreak. Such attacks can tie up networks, cripple mail servers and disable many individual PCs. It's beyond the scope of this article to discuss the specifics of a virus/worm reaction policy. Many of the popular commercial antivirus vendors provide some insights on their websites.
As we have seen, proactive and reactive security are not opposing forces. Every organization needs to find an appropriate balance between how many resources can be devoted to proactive measures designed to deter network attacks, and how much to devote to reacting to intrusions. However this balance is addressed, it is strongly recommended that every organization have an effective patching process in place, and have networks scanned using vulnerability assessment programs. Those are the two most important components of proactive security.