A curious change has come over the image of computer security in the last few years. Whereas headlines once screamed the exploits of allegedly evil hackers, the story now is all about bad code — unpatched software, poorly secured firewalls and computer passwords left in plain sight. The hackers are not the real culprits; the security holes are.
It might be our maturation as a high-tech society, but such a shift in perspective marks a coming of age for network administrators after more than a decade of trying to secure client-server and Internet computing. A new set of tools, collectively called vulnerability assessment, is educating sysadmins about ways to close holes in networks before a hacker even finds them, let alone plans an attack. With widely circulating estimates claiming that up to 90 percent of computer security breaches can be avoided, such tools might represent a CIO’s best chance to assess the level of security in his or her enterprise and determine how to improve it.
As with other “new” sensations, vulnerability assessment tools really have been around for a while. One of the first such programs was the Security Profile Inspector (SPI), launched by James Rothfuss at Lawrence Livermore National Laboratory under contract to the U.S. Department of Energy. It simply tested system security by examining how certain files were set up on a computer. For example, SPI would check to see if permissions for using the machine were in a file that could be overwritten by an attacker, and it could determine which versions of operating system code were installed, thereby assisting in patch management. The intent was to ensure systems were maintained according to sensible security procedures.
In 1995, security researchers Dan Farmer and Wietse Venema electrified the sleepy world of vulnerability assessment by releasing a simple program called Security Administrator Tool for Analyzing Networks, or SATAN. Farmer, then a Sun Microsystems scientist who had already written a profiler called Computer Oracle and Password System (COPS), and Venema, a researcher at Eindhoven University of Technology in The Netherlands, made a couple of dramatic innovations.
First, they made it possible to scan computers for misconfigurations through the Internet, without requiring direct or administrative access to the computers in question. That meant just about anyone could try his or her hand at probing security holes in collections of computers or entire networks.
Second, Farmer and Venema made the program seem easy by hiding its complexity behind a Web interface. Using a bunch of Perl scripts, they cobbled together a large array of tools to seek out misconfigurations — and gave script kiddies a powerful tool kit for detecting vulnerabilities in the process. The Web-centric nature of SATAN can be seen even today in simple programs such as Microsoft’s online Slammer virus-scanning tool, which can be run from a Web site and will probe an Internet-connected PC to find out if it is vulnerable to the Slammer worm.
Way Beyond Scan
However, the simple script-based programs of yesteryear mostly have morphed into hardware appliances that claim to address the complexity of securing systems in an age of ubiquitous networking. A raft of venture-backed startups have emerged in the last few years, including Qualys, Foundstone and nCircle, whose product can be termed the Cadillac of the industry in terms of both features and price.
The first thing to note about these tools is that they are automated, unlike SPI and SATAN, which were designed to be run by an individual system administrator when he or she had time. NCircle’s IP360 uses hardware to monitor thousands of hosts across a LAN, with perhaps several boxes deployed at various points behind the firewall, between firewall and router, and surrounding the LAN switch at different points. Meanwhile, Foundstone claims its FoundScan appliance can inspect an entire class A network of 17 million IP addresses in less than 48 hours. In other words, vulnerability assessment has become part of the networking business.
Dieting vs. Wonder Pills
Realize, too, that scanning software is different from intrusion-detection software (IDS), such as the freely available Snort for WiFi networks. Whereas IDS looks for patterns of unauthorized network traffic that might signal a break-in, scanners are geared toward detecting whether or not a computer’s current configuration is inherently vulnerable to attack. Firas Raouf, COO of eEye Digital Security, which makes the Retina scanner product, told the E-Commerce Times that the difference is akin to symptoms versus cause.
“The IDS is looking at attack signatures,” he said, “whereas the vulnerability assessment tool is looking at the state of the code on the server to figure out if there’s an inherent problem with that code.”
Some observers view the difference even more strongly. “An IDS is completely reactionary, whereas a scanner is proactive,” Gartner research director Richard Stiennon told the E-Commerce Times. “IDS is all about listing and alerting attacks that have happened, whereas vulnerability assessment will tell you what’s wrong before the fact.” He said that, in his opinion, scanning tools are “absolutely a more important purchase than intrusion detection systems.”
For his part, Qualys chairman and CEO Philippe Courtot likened IDS to wonder drugs that do not pay off. “It’s like trying to lose weight by taking a little bunch of pills,” he told the E-Commerce Times. “If you really want to lose weight, you’ve got to eat right and exercise, not look for a panacea.”
Nonetheless, there is an inherent limitation in scanning tools, because hackers can go farther than system administrators in terms of the things they are willing to do to detect a weakness in a system. As eEye’s Raouf said: “A scanning tool will never intentionally run an exploit against the system to try and crash it. Hackers will do this routinely.” That means the black hats have a certain advantage. How much can today’s scanners mitigate this risk?
Tell Me No Lies
For starters, it is important to choose a good scanning tool to provide maximum protection. Because these tools have morphed from early command-line programs to complex network devices, their number and variety of features are a significant differentiator. A CIO or other IT purchaser should look for offerings that are more than basic port-scanning tools. The best devices not only should look for open ports and vulnerable file systems, but also should monitor network traffic, determine which vulnerabilities are most pressing, take inventory of devices on the network and perhaps even correct vulnerabilities they uncover.
Many commercial packages build on a basic port scanner called nmap, created by a hacker who calls himself Fyodor. While nmap does perfectly good port-scanning and operating-system detection, Fyodor says he is pleased with the “substantial value” added by licensees. For example, “Core SDI uses nmap in their Impact tool to determine what OS the target host is running so that it can choose the proper exploit to run in order to compromise a host.”
Vital False Positives
An entirely separate issue is how to handle the barrage of information generated by vulnerability assessment tools. Gartner’s Stiennon recommends using products that integrate patch management, which itself is just one part of remediation, or dealing with exposed vulnerabilities. Toward this end, Foundstone sells an extra piece of software called a Remediation Module, which can generate trouble tickets and allow an administrator to track which employees are charged with eliminating specific vulnerabilities.
Nmap creator Fyodor stresses that eliminating false positives — vulnerabilities to which a machine is not actually susceptible — is just as important as taking care of real threats. “It requires experience to separate this chaff from the actual serious vulnerabilities that should be addressed immediately,” Fyodor said. Even if an enterprise’s IT admins do not have sufficient experience, vendors offer automated means of prioritizing the most serious kinds of attacks, which they say can help administrators achieve near-perfect elimination of false positives on a network.
That is possible because of the inclusion of threat profiles — constantly updated information about the ways viruses and worms behave. Assessment appliances can correlate those threats to the state of a given network, rather like an antivirus system. For example, nCircle and Qualys both maintain databases that are frequently updated with the latest information about malware like Code Red and distributed denial-of-service attacks. These threat “signatures” can be downloaded to the scanning appliance, along with information on how to patch systems to defend against the threats.
Charles Kolodgy, who follows vulnerability assessment technology for research firm IDC, believes such databases will be a major differentiator among vendors’ offerings going forward. “They all have knowledge bases now, but how extensive is each product’s?” he said. He suggested that eliminating false prositives ultimately will depend as well on how well a product integrates with other security devices in a network, enabling cross-checking. He said he believes nCircle is the leader in terms of integrating its scanner with IDS and firewalls.
Fits in a Suitcase
Because scanners are increasingly evolving into networked, multicomponent offerings, one significant issue is what it takes to deploy all the devices and software involved. Vendors often compete on this basis, touting short rollout times for the numerous devices that must be stationed throughout an enterprise. For example, nCircle claims Visa deployed more than 200 components of its IP360 product at 20 sites around the world in less than a month’s time.
Depending on how many appliances a company needs to deploy, prices can vary greatly. Foundstone prices its FS1000 appliance at US$6,700 for a base system; nCircle charges $25,000 for a base license of its IP360. When deploying multiple boxes across a multinational network, a company can end up spending several hundred thousand dollars or even as much as $1 million.
Others, such as Qualys and Foundstone, say the installation process can be made easier by treating vulnerability assessment as a hosted service, along the lines of the application service provider (ASP) model. In fact, Qualys CEO Courtot said that by having his company perform the initial scan using its own hosted computers, the entire issue of installation can be avoided. “Because we have eliminated issues of managing the app, you could create very sophisticated global infrastructure at a minimum cost,” he said.
Save the Network, Save Money
With such a hosted model, customers receive reports from a Qualys scan of their network perimeter; for scanning their intranet, of course, they must purchase and install an appliance. However, this process is not complex, according to Courtot. He said the CEO of Solectron left Qualys’ offices with the box in his briefcase and installed it back at the Solectron offices in Amsterdam, The Netherlands, by himself. Also, compared with the potentially hefty cost of a full enterprise rollout of a nonhosted solution, Courtot said an initial subscription of $10,000 can start a company on the road to discovering holes in its network security.
In these frugal times, however, sysadmins probably will have to prove that vulnerability assessment products can generate ROI, no matter how smart the purchase seems in principle. Adding to the difficulty, it is hard to quantify the long-term payoff of locking down open ports or eliminating rogue computers from a network.
Nonetheless, Qualys’ Courtot says that as customers come to understand the true cost of locking down systems by hand, they will realize how much money can be saved by letting scanners manage the process. “We’re starting to put together a database about the costs of these vulnerabilities, so customers will see the real cost of securing their networks,” he said.
Pretty good evaluation of the issue, albeit restricted to an IT-centric perspective.
Emphasizing to IT sec staff the importance of pitching others in their organizations on the opportunities/rewards of marketing a site’s security status to shoppers has been a very successful sales strategy for us.
Tiernan Ray writes, "In these frugal times, however, sysadmins probably will have to prove that vulnerability assessment products can generate ROI, no matter how smart the purchase seems in principle."
Sysadmins wondering how to justify the cost of vulnearability scanning would do well to spend five minutes visiting http://www.scanalert.com/Merchants?tab=3 to see how more than 30 retail ecommerce sites have reported considerable ROI numbers on their vulnerability scanning investments via Scan Alert’s HACKER SAFE certification.
(In the spirit of disclosure, I work for ScanAlert). One of the statements that we make about marrying vulnerability scanning to independent security certification is that without certification, security is an expense; with certification, security is an investment.
HACKER SAFE certified online retailers have collectively analyzed the shopping behavior of more than a million visitors to their respective sites and reported back to us an average sales boost of 15 percent. With that sort of empirical data, certification is clearly one way to justify to a bean counter the cost of vulnerability scanning.
In addition to the commercial vulnerability scanners mentioned in this article there is a free, open source product called Nessus ( http://www.nessus.org/ ).