Improving Securitythrough Software
Dr Warren ToomeySchool of Computer Science
Australian Defence Force Academy
Introduction
• Software insecurity causes most system vulnerabilities
• 1998 Internet survey– 85% of the 36 million systems examined
– 1% (450,000) systems had software holes
• New software holes found on a daily basis– 35 Microsoft bulletins in last 12 months
– 22 from SGI, 14 from Sun, 10 from Cisco
Assumptions
• All software has bugs– “there’s always one more bug”
• Some bugs are security holes
• Software configuration causes holes
• Software use causes security holes
• Many attacks come from inside
• Moral: Audit & fix your software base
Audit Software
• In-House: Use Y2K audit to help find holes
• Use existing programmers’ knowledge
• Put your programmers on security courses
• Otherwise, get consultants to do audit
• Off the Shelf Software: not easy to audit
• Don't trust vendors' own opinion of security
• Find & use independent reports/surveys
Read Security Bulletins
• Many vendors put out security bulletins– Microsoft, Sun, Cisco, Netscape, SGI, HP ...
• These announce newly found holes, their significance & how to fix them
• Also read bulletins/advisories from CERT, AUSCERT, FIRST
• Verify bulletins’ authenticity: PGP etc.
• Fix security holes quickly: day-zero attacks
Read Security Maillists
• Examples: Bugtraq, NT Bugtraq mail lists
• URLs: securityfocus.com, ntbugtraq.com
• Public arena for– Discussion of new vulnerabilities
– Dissemination of detection/exploit code
• Both white-hats & hackers read these lists
• Hackers use this information for day-zero attacks
Read Security Maillists
• Not as trustworthy as vendor, CERT bulletins
• However, new holes are described here weeks before vendor bulletins
• Some individuals are trustworthy• Some are unofficial representatives of
software vendors
Reconfigure Software
• Configuration creates many security holes
• Consult software install/configure manuals for security recommendations
• Consult vendors, 3rd parties for security recommendations
• Use vulnerability detection software to audit configuration, monitor changes
• Keep good backups: you will need them when you are broken into
Open Source Software
• Consider using Open Source software for new/replacement software
• Distributed in source form– Thousands of people read the source
– Hackers find weaknesses quickly
– Good guys can fix the problem quickly
– Fast understanding of new security attacks• You can buy support for these products
Open Source Software
• In general, Open Source more trustworthy than proprietary software– The code you see is the code you get
• Ditto for published encryption techniques: DES, RSA, AES etc.
• Open Source very useful for server deployment, not quite ready for desktop– Apache, Perl, PGP, Gnu C, Bind, Sendmail,
Linux, FreeBSD
Software for Security
• Encryption at application level: PGP, ssh, SSL, S/Key
• Encryption at network level: SKIP, VPN• Intrusion Detection software: various• Anti-virus software: various, for both desktop
& server• Configuration vulnerabilities: various• Configuration change detection: various
Change Use of Software
• Software use also causes many holes– Opening of virus-infected programs, documents
• Make users aware of software security
• Encourage users to report issues, react positively. Encourage technical staff to report deficiencies, suggest improvements
• Send the message: security is important to us all
Conclusion
• Software will always be vulnerable to attack• Intense effort by hackers to find new holes &
exploit them• Audit, find & fix holes in your existing
software base• Audit, find & fix holes in your software
configuration• Follow bulletins, mail lists to keep abreast of
new holes
Conclusion
• Think security when replacing software, procuring new software
• Deploy software to enhance your security• Encourage all to use software with security
in mind