Improving Security through Software Dr Warren Toomey School

Improving Security through Software Dr Warren Toomey School of Computer Science Australian Defence Force Academy

Introduction • Software insecurity causes most system vulnerabilities • 1998 Internet survey – 85% of the 36 million systems examined – 1% (450, 000) systems had software holes • New software holes found on a daily basis – 35 Microsoft bulletins in last 12 months – 22 from SGI, 14 from Sun, 10 from Cisco

Assumptions • All software has bugs – “there’s always one more bug” • • • Some bugs are security holes Software configuration causes holes Software use causes security holes Many attacks come from inside Moral: Audit & fix your software base

Audit Software • • In-House: Use Y 2 K audit to help find holes Use existing programmers’ knowledge Put your programmers on security courses Otherwise, get consultants to do audit • Off the Shelf Software: not easy to audit • Don't trust vendors' own opinion of security • Find & use independent reports/surveys

Read Security Bulletins • Many vendors put out security bulletins – Microsoft, Sun, Cisco, Netscape, SGI, HP. . . • These announce newly found holes, their significance & how to fix them • Also read bulletins/advisories from CERT, AUSCERT, FIRST • Verify bulletins’ authenticity: PGP etc. • Fix security holes quickly: day-zero attacks

Read Security Maillists • Examples: Bugtraq, NT Bugtraq mail lists • URLs: securityfocus. com, ntbugtraq. com • Public arena for – Discussion of new vulnerabilities – Dissemination of detection/exploit code • Both white-hats & hackers read these lists • Hackers use this information for day-zero attacks

Read Security Maillists • Not as trustworthy as vendor, CERT bulletins • However, new holes are described here weeks before vendor bulletins • Some individuals are trustworthy • Some are unofficial representatives of software vendors

Reconfigure Software • Configuration creates many security holes • Consult software install/configure manuals for security recommendations • Consult vendors, 3 rd parties for security recommendations • Use vulnerability detection software to audit configuration, monitor changes • Keep good backups: you will need them

Open Source Software • Consider using Open Source software for new/replacement software • Distributed in source form – Thousands of people read the source – Hackers find weaknesses quickly – Good guys can fix the problem quickly – Fast understanding of new security attacks • You can buy support for these products

Open Source Software • In general, Open Source more trustworthy than proprietary software – The code you see is the code you get • Ditto for published encryption techniques: DES, RSA, AES etc. • Open Source very useful for server deployment, not quite ready for desktop – Apache, Perl, PGP, Gnu C, Bind, Sendmail, Linux, Free. BSD

Software for Security • Encryption at application level: PGP, ssh, SSL, S/Key • Encryption at network level: SKIP, VPN • Intrusion Detection software: various • Anti-virus software: various, for both desktop & server • Configuration vulnerabilities: various • Configuration change detection: various

Change Use of Software • Software use also causes many holes – Opening of virus-infected programs, documents • Make users aware of software security • Encourage users to report issues, react positively. Encourage technical staff to report deficiencies, suggest improvements • Send the message: security is important to us all

Conclusion • Software will always be vulnerable to attack • Intense effort by hackers to find new holes & exploit them • Audit, find & fix holes in your existing software base • Audit, find & fix holes in your software configuration • Follow bulletins, mail lists to keep abreast of new holes

Conclusion • Think security when replacing software, procuring new software • Deploy software to enhance your security • Encourage all to use software with security in mind