Improving Security through Software Dr Warren Toomey School of Computer Science Australian Defence Force Academy
Introduction Software insecurity causes most system vulnerabilities 1998 Internet survey –85% of the 36 million systems examined –1% (450,000) systems had software holes New software holes found on a daily basis –35 Microsoft bulletins in last 12 months –22 from SGI, 14 from Sun, 10 from Cisco
Assumptions All software has bugs – “there’s always one more bug” Some bugs are security holes Software configuration causes holes Software use causes security holes Many attacks come from inside Moral: Audit & fix your software base
Audit Software In-House: Use Y2K audit to help find holes Use existing programmers’ knowledge Put your programmers on security courses Otherwise, get consultants to do audit Off the Shelf Software: not easy to audit Don't trust vendors' own opinion of security Find & use independent reports/surveys
Read Security Bulletins Many vendors put out security bulletins –Microsoft, Sun, Cisco, Netscape, SGI, HP... These announce newly found holes, their significance & how to fix them Also read bulletins/advisories from CERT, AUSCERT, FIRST Verify bulletins’ authenticity: PGP etc. Fix security holes quickly: day-zero attacks
Read Security Maillists Examples: Bugtraq, NT Bugtraq mail lists URLs: securityfocus.com, ntbugtraq.com Public arena for –Discussion of new vulnerabilities –Dissemination of detection/exploit code Both white-hats & hackers read these lists Hackers use this information for day-zero attacks
Read Security Maillists Not as trustworthy as vendor, CERT bulletins However, new holes are described here weeks before vendor bulletins Some individuals are trustworthy Some are unofficial representatives of software vendors
Reconfigure Software Configuration creates many security holes Consult software install/configure manuals for security recommendations Consult vendors, 3rd parties for security recommendations Use vulnerability detection software to audit configuration, monitor changes Keep good backups: you will need them when you are broken into
Open Source Software Consider using Open Source software for new/replacement software Distributed in source form –Thousands of people read the source –Hackers find weaknesses quickly –Good guys can fix the problem quickly –Fast understanding of new security attacks You can buy support for these products
Open Source Software In general, Open Source more trustworthy than proprietary software –The code you see is the code you get Ditto for published encryption techniques: DES, RSA, AES etc. Open Source very useful for server deployment, not quite ready for desktop –Apache, Perl, PGP, Gnu C, Bind, Sendmail, Linux, FreeBSD
Software for Security Encryption at application level: PGP, ssh, SSL, S/Key Encryption at network level: SKIP, VPN Intrusion Detection software: various Anti-virus software: various, for both desktop & server Configuration vulnerabilities: various Configuration change detection: various
Change Use of Software Software use also causes many holes –Opening of virus-infected programs, documents Make users aware of software security Encourage users to report issues, react positively. Encourage technical staff to report deficiencies, suggest improvements Send the message: security is important to us all
Conclusion Software will always be vulnerable to attack Intense effort by hackers to find new holes & exploit them Audit, find & fix holes in your existing software base Audit, find & fix holes in your software configuration Follow bulletins, mail lists to keep abreast of new holes
Conclusion Think security when replacing software, procuring new software Deploy software to enhance your security Encourage all to use software with security in mind