| In This Issue |
 Tech Talk News & Articles Reader Q&A Announcements Etcetera |
| Tech Talk |
Exposing the Holes: The Vulnerability Lifecycle
The weakest links in any network are vulnerabilities — imperfections that leave networks susceptible to attack. Unlike traditional software development methodology; design, code, test, repeat, the vulnerability lifecycle can stem from any of the steps outlined below.
Examining the lifecycle of a Vulnerability
The vulnerability lifecycle breaks down into roughly the following steps:
- Software is released with a bug
- The threat can be located internally or externally
- The vendor may or may not be contacted
- A fix/patch is developed and released
- Potentially, details on the problem and an attack have been released
- Potentially, hackers exploit your network using vulnerability
- All YOUR systems are fixed
- Every system everywhere is fixed
This cycle has only two steps that are guaranteed to happen; beginning when buggy software is released, and ending when every system, everywhere is patched. These represent the birth and death in this lifecycle. The “death” is unlikely to occur, unless a piece of software loses favor and is replaced over time. This typically coincides with ‘end of life’ and/or ‘end of support’ for older products. The number of people using them dwindles to nothing. It is unlikely to affect a mass patching that covers all copies of a product worldwide. New machines are brought up each day, and some do not get patched right away. It is not surprising to find vulnerabilities that were discovered and fixed over 10 years ago still showing up in scans on live networks. This is also the reason that worms such as CodeRed and Nimda are still operating on the Internet.
Every other step in this lifecycle is optional and can happen in nearly any order. A vulnerability may never be found by anyone. This, however, does not mean that the vulnerability does not exist. As long as the software is still in use, there exists the potential for the entire scenario to be played out. If it is never discovered, it is one of the birth to death vulnerabilities.
The threat can be located internally or externally —This is actually quite common, as software developers fix bugs that they find in their after-market testing. This masks the public knowledge of this vulnerability; however, it does little to mitigate the risk. Many vendors include solutions to several internally found vulnerabilities in innocuous or unrelated patches that people may or may not apply.
The vendor may or may not be contacted and a fix/patch is developed and released —A responsible security researcher may find the bug, contact the company, agree to wait for a fix from the company, and coordinate the release of details with that company. This is the common way “white hat” hackers operate. After the details and fix have been made public, there often begins a race between administrators rushing to fix the vulnerability and attackers wishing to exploit it. This is the scenario that most of the IT and hacking world is familiar with.
Potentially, details on the problem and an attack have been released and hackers exploit your network using vulnerability —A hacker with malicious intent may find the vulnerability and quietly use this knowledge to compromise thousands of hosts before the knowledge comes to light. This is what is traditionally known as a zero day attack.
All YOUR systems are fixed, every system everywhere is fixed —People often think that when all systems under their control are patched against a vulnerability, their responsibility if finished. This is a surprisingly misleading idea. Vulnerabilities can affect other hosts on the network, flooding your network with worm traffic, or attacks from other compromised hosts. Although you have no control over how the rest of the Internet handles their vulnerabilities, be assured that it still DOES affect you.
In our next issue, we will examine how these various scenarios will affect different roles within an organization.
Source: Ryan Permeh, Senior Software Engineer, eEye's Research Team
For more information on ways to secure your network before, during and after an attack please visit www.eeye.com. |
| News & Articles |
The following articles represent the opinions of their respective authors. They do not necessarily represent the opinions of eEye Digital Security.
Red Herring: Top 100 Innovative Companies: eEye, Beyond Patches
"Security firm eEye tries to stop security threats before they spread" Full Article ABCnews.com: Microsoft Software to Remove Spyware
"Microsoft Corp. has disclosed plans to offer frustrated users of its Windows software new tools to remove spyware programs secretly running on computers. But it might cost extra in coming months" Full Article Flaw Finders Go Their Own Way
"To many software makers and security consultants, flaw finder David Aitel is irresponsible. But unlike an increasing number of researchers, he does not share the security problems he finds with the makers of the programs he examines" Full Article |
| Reader Q&A |
Q: How can one guard against malicious sniffing of network traffic in a switched environment?
A: The best defense against network sniffers in both switched and non-switched environments is good encryption. If encryption is used, then, the network sniffers will still be able to capture traffic, but not decode the data. This means that the sniffer will only see garbled communication, and will be unable to decode this data without the encryption keys.
This leads then to the use of safe practices for generating and managing encryption keys, a subject for another paper. Nevertheless, the two methods presented here, the use of switches and strong encryption are an excellent start in securing network communication.
Remember, strong security is only as strong as the weakest link.
Have a question you would like answered? Send it to versa@eEye.com, and win an eEye t-shirt if we select your question for an upcoming newsletter. |
| Announcements |
Release: eEye Digital Security Introduces Blink® 2.0 – Endpoint Security for Business
The latest version of award-winning endpoint security software focuses on business continuity, policy compliance, anti-spyware and identity theft protection Full Article Attend a Blink Webinar for your chance to win an Apple iPod Shuffle
Join eEye Digital Security for a quick overview on how organizations of all sizes can leverage eEye's Blink Vulnerability Prevention solution to thwart attacks and increase operational efficiency by:
Protecting from known and undefined vulnerabilities
Extending the timetable to remediate
Enforcing policy compliance Full ArticleRelease: eEye's Blink Endpoint Security Software Selected as a Network World Best of the Tests Finalist
eEye’s Blink solution, the most powerful and comprehensive endpoint security software introduced to date, was selected as a Network World 2005 Best of the Tests Finalist. Blink is the first endpoint security software to take a multi-layered approach incorporating firewall, intrusion prevention and vulnerability assessment technology to ensure business continuity across the enterprise. Full Article Coming Soon: Retina Network Security Scanner 5.2
Retina Network Security Scanner 5.2 will be available February 22, 2004. Sold separately, or as part of the Retina Enterprise Suite, the updated version provides security and IT professionals with a more in-depth view of their Unix and other non-Windows devices on their network. Full Article |
| Etcetera |
Microsoft Turns to External Patch Testers
Looking to improve—and possibly speed up—the creation and release of software security patches, Microsoft Corp. is implementing a closed beta program for external testing teams. More |
HOW TO SUBSCRIBE
To subscribe to this and other eEye newsletters, please visit: http://www.eeye.com/html/resources/newsletters/subscribe.html FEEDBACK
The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to versa@eeye.com. DISCLAIMER
The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. NOTICE
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email versa@eeye.com for permission. |
