Improving Securitythrough Software

Dr Warren ToomeySchool of Computer Science

Australian Defence Force Academy

Introduction

• Software insecurity causes most system vulnerabilities

• 1998 Internet survey– 85% of the 36 million systems examined

– 1% (450,000) systems had software holes

• New software holes found on a daily basis– 35 Microsoft bulletins in last 12 months

– 22 from SGI, 14 from Sun, 10 from Cisco

Assumptions

• All software has bugs– “there’s always one more bug”

• Some bugs are security holes

• Software configuration causes holes

• Software use causes security holes

• Many attacks come from inside

• Moral: Audit & fix your software base

Audit Software

• In-House: Use Y2K audit to help find holes

• Use existing programmers’ knowledge

• Put your programmers on security courses

• Otherwise, get consultants to do audit

• Off the Shelf Software: not easy to audit

• Don't trust vendors' own opinion of security

• Find & use independent reports/surveys

Read Security Bulletins

• Many vendors put out security bulletins– Microsoft, Sun, Cisco, Netscape, SGI, HP ...

• These announce newly found holes, their significance & how to fix them

• Also read bulletins/advisories from CERT, AUSCERT, FIRST

• Verify bulletins’ authenticity: PGP etc.

• Fix security holes quickly: day-zero attacks

Read Security Maillists

• Examples: Bugtraq, NT Bugtraq mail lists

• URLs: securityfocus.com, ntbugtraq.com

• Public arena for– Discussion of new vulnerabilities

– Dissemination of detection/exploit code

• Both white-hats & hackers read these lists

• Hackers use this information for day-zero attacks

Read Security Maillists

• Not as trustworthy as vendor, CERT bulletins

• However, new holes are described here weeks before vendor bulletins

• Some individuals are trustworthy• Some are unofficial representatives of

software vendors

Reconfigure Software

• Configuration creates many security holes

• Consult software install/configure manuals for security recommendations

• Consult vendors, 3rd parties for security recommendations

• Use vulnerability detection software to audit configuration, monitor changes

• Keep good backups: you will need them when you are broken into

Open Source Software

• Consider using Open Source software for new/replacement software

• Distributed in source form– Thousands of people read the source

– Hackers find weaknesses quickly

– Good guys can fix the problem quickly

– Fast understanding of new security attacks• You can buy support for these products

Open Source Software

• In general, Open Source more trustworthy than proprietary software– The code you see is the code you get

• Ditto for published encryption techniques: DES, RSA, AES etc.

• Open Source very useful for server deployment, not quite ready for desktop– Apache, Perl, PGP, Gnu C, Bind, Sendmail,

Linux, FreeBSD

Software for Security

• Encryption at application level: PGP, ssh, SSL, S/Key

• Encryption at network level: SKIP, VPN• Intrusion Detection software: various• Anti-virus software: various, for both desktop

& server• Configuration vulnerabilities: various• Configuration change detection: various

Change Use of Software

• Software use also causes many holes– Opening of virus-infected programs, documents

• Make users aware of software security

• Encourage users to report issues, react positively. Encourage technical staff to report deficiencies, suggest improvements

• Send the message: security is important to us all

Conclusion

• Software will always be vulnerable to attack• Intense effort by hackers to find new holes &

exploit them• Audit, find & fix holes in your existing

software base• Audit, find & fix holes in your software

configuration• Follow bulletins, mail lists to keep abreast of

new holes

Conclusion

• Think security when replacing software, procuring new software

• Deploy software to enhance your security• Encourage all to use software with security

in mind