Vulnerability Management Solutions Harold Toomey Product Manager 13

Vulnerability Management Solutions Harold Toomey Product Manager 13 August 2001 1

Agenda • • • Importance of Security Policy Security Management • Web access management • Vulnerability management • Intrusion detection • Symantec Products • ESM – OS Security • Web Server Security • Database Security • Symantec Net. Recon – Network Security • Questions and Answers 2 Symantec Confidential

Market Trends Company A A transformation of the Corporate enterprise 20 th Century Corporation Company B 21 st Century Corporation • As technology has changed the way we do business, it changes the way we think about security • No longer about keeping people out, but letting people in…. Source – Business Week August 28 th 2000 3 Symantec Confidential

Evolution of Network Intrusions Microsoft hacked Wide-spread Denial-of-Service Attacks (Yahoo!, e. Bay) “Zombies” appear SATAN is released Morris Internet Worm Source: CERT, Carnegie Mellon University 4 Symantec Confidential

Average Reported Losses $4. 45 M 2001 CSI/FBI Computer Crime and Security Survey $4. 42 M $454 K $322 K $275 K Theft of Proprietary Information 5 Symantec Confidential Sabotage Unauthorized and Denial Insider of Services Financial Access Fraud Outside System Penetration Mar 12, 2001

Risk Remains High $1. 6 TRILLION - Estimated worldwide loss in 2000 due to downtime resulting from security breaches and virus attacks. (Information. Week) $266 BILLION - Estimated cost of damages caused by viruses and computer cracking in U. S. firms in 2000. (Information. Week) 42% of computers checked were still not running antivirus software. 32% were infected. (Symantec Security. Check) 12: 1 - Ratio of the number of times on-line merchants suffer credit card fraud compared to the off-line, bricks -and-mortar counterparts. (Gartner Group) 6 Symantec Confidential

7 Symantec Confidential

* 8 Symantec Confidential

Web Server Security Threat “Web Server Security has been at the forefront of the news throughout the last month, with the archive site attrition. org announcing that it had received a list of around 9, 000 Microsoft-IIS sites that had been successfully been taken control of by attackers. … Recently it has been receiving over 100 reports of successful attacks in a single day, more than for the entire years of 1995 & 1996. ” Source: http: //www. netcraft. com/survey/ (Jun 2001) 9 Symantec Confidential

Web Site Defacements Source: attrition. org 10 Symantec Confidential

Policy is Key to Security • Mandate to implement security • Standard to measure security • Basis for all security technology and procedures Policy Standards Procedures, Guidelines & Practices 11 Symantec Confidential

Security Objectives Confidentiality • Who sees the data? Integrity • Has the data been tampered with? Availability • Can I access the server or data when I need it? 12 Symantec Confidential

No Need to Start from Scratch Rather than analyzing every risk, look at what others are doing Meet standard of due care Use existing standards and “Best Practices” Pay attention to regulations and requirements • • • 13 Government Industry Partner Symantec Confidential

Standards for Operational Security • • 14 BS 7799 security requirements established by the British Government (ISO 17799) SAS 70 and Sys. Trust requirements established by the AICPA FISCAM requirements established by GAO for federal govt. COBIT requirements established by Information Systems Audit and Control Association (ISACA) IETF Site Security Handbook and User Security Handbook The Top Ten Internet Security Threats from SANS VISA's ten requirements for 21, 000 organizations that carry the VISA logo Future – Minimum standards of due care from The Center for Internet Security, a new world-wide standards consortium Symantec Confidential

Visa’s “Ten Commandments” 1. Install and maintain a working network firewall to 2. 3. 4. 5. 6. 7. 8. 9. 10. protect data accessible via the Internet Keep security patches up-to-date Encrypt stored data accessible from the Internet Encrypt data sent across networks Use and regularly update anti-virus software Restrict access to data by business "need to know" Assign unique IDs to each person with computer access to data Track access to data by unique ID Don't use vendor-supplied defaults for system passwords and other security parameters Regularly test security systems and processes Source: www. visabrc. com 15 Symantec Confidential

Regulations for Operational Security • • FDIC and OCC regulations for banking industry • • FDA regulations for pharmaceutical companies • 16 HIPAA regulations for health care industry SEC regulations for brokerage industry Do. D regulations for military commands and contractors NASA requirements for all its facilities and contractors 1974 Privacy Act with amendments Symantec Confidential

Metrics for Security Effectiveness Measuring Policy Compliance • Percent of organization following policy • Number of exemptions granted Measuring Resistance and Response to Attack • Number of holes found by vulnerability scan • Percent of attacks detected during penetration test • Percent of detected attacks with proper response/report • Percent of attempted attacks that succeeded If you want to manage something, you have to be able to measure it. 17 Symantec Confidential

Web Access Management Web Server Firewall Customers E-mail servers File Servers Partners Database Servers Branch Office Groupware Servers Modems Wireless Device 18 Symantec Confidential Telecommuters

Traditional Web Access Management Web Users & Internet Service Network (DMZ) Hacker Web Servers & Content Firewall Application Servers Auth. DB 19 DB Symantec Confidential Application Servers Auth. DB DB Secure (Trusted) Network

Secure Web Access Management Web Users & Internet Service Network (DMZ) Proxy Server PKI Auth Agent Firewall Central Management Server Authentication Mechanism(s) 20 Symantec Confidential NT Auth Agent LDAP Auth Agent Web Servers & Content Other Auth Agents Secure (Trusted) Network

Authentication Username/password most common • Can be stolen or frequently cracked • Use SSL or similar web technology Two-factor authentication is stronger • Hardware token, smartcard, etc. • Soft token, digital certificate • Biometric 21 Symantec Confidential

Vulnerability Management – Policy Compliance Web Server Firewall Customers File Servers Partners Database Servers Branch Office Groupware Servers Modems Wireless Device 22 Symantec Confidential Telecommuters

Some Typical Vulnerabilities • • Password strength Out-of-date patch levels Account settings Network parameters • NT RAS, NIS, UNIX. rhosts files, ftp, telnet • • • File protections Improperly changed files O/S specific problems • Windows NT registry, Net. Ware NDS, UNIX suid files, etc. • Improper CGI and other web vulnerabilities • Presence of DDo. S “Zombie” code 23 Symantec Confidential G. Mark Hardy

Vulnerability Management – Vulnerability Scanning Probe for Vulnerabilities Web Server Firewall Customers Probe for Vulnerabilities Partners File Servers Branch Office Database Servers Groupware Servers Modems Wireless Device 24 Symantec Confidential Telecommuters

Detect Intruders Hacker IDS Web Server Firewall Customers File Servers Partners Database Servers Branch Office Groupware Servers Modems Wireless Device 25 Symantec Confidential Telecommuters

Network and Host IDS Partnership Phase 1 Phase 2 Phase 3 Discover & Map Penetrate Perimeter Attack/Control Resources • Automated Scanning & Probing • • Denial of Service Spoofing Protocol exploits Web appl. attack Internet Network IDS 26 Symantec Confidential • • • Password attacks Privilege grabbing Theft Audit trail tampering Admin. changes Vandalism Trojan horses Host IDS

VM and IDS Matrix Symantec provides all important components to comprehensive security Host-Based Vulnerability Management Intrusion Detection 27 Symantec Confidential Network. Based Enterprise Security Manager Symantec Net. Recon Intruder Alert Net. Prowler

Enterprise Security Manager (ESM) is the worldwide leader in host-based Vulnerability Assessment with 68% market share according to IDC. Also, ESM has recently won Secure Computing Magazine’s Academy Award for Best Security Management product. 28 • Comprehensive security “health check” of the enterprise from a central location. • Automatically discovers and reports vulnerabilities, including areas that do not comply with security policy. • Identify systems that are at risk or non -compliant. • Consistent, automated, repeatable, on-demand mechanism. • Provide baseline and measures by which to manage security. Symantec Confidential G. Mark Hardy

ESM: Manager/Agent Architecture GUI Code Network Code Manager 29 Symantec Confidential Code

ESM - Scales to Virtually any Enterprise ESM Console 30 Symantec Confidential ESM Managers with Agents ESM Agents

Symantec Net. Recon , in conjunction with ESM, leads the Vulnerability Assessment space with 39% market share according to IDC. Secure Computing Magazine gave Net. Recon a fourstar overall rating, and recognized it as “capable of discovering more potential vulnerabilities than the competition in certain situations. ” 31 • • • Gain a hacker’s eye view of the network. Vulnerability assessment with root cause analysis - leads you to the real problem, not the symptoms Unique path analysis illustrates exact sequence of steps to uncover vulnerability Progressive scanning technology uses information from part of the scan to search deeper for weaknesses. Shares information like a Tiger Team Symantec Confidential G. Mark Hardy

Net. Recon w/ Progressive Scanning Technology Holistic view of network • Searches deeper for network weaknesses • Correlates vulnerabilities across systems to demonstrate how related vulnerabilities can lead to attack • Shows how low- and medium-risk problems combine to make high-risk problems • Uncovers vulnerabilities that other scanners don’t find • Enhanced performance provided by parallel objectives • Runs faster by filtering out redundant risks 32 Symantec Confidential

Key Features & Benefits 33 Progressive Scanning • Scans entire network as a whole, not just each system in isolation to the others like other scanners • Uses information found on one system to penetrate the other systems Path Analysis • Illustrates the exact sequence of steps taken to uncover a vulnerability • Helps the security administrator to pin-point the root cause of the vulnerabilities Live Update™ • Incorporates Symantec’s renowned Live Update technology to deliver new vulnerability checks Integrated Password Cracking • Actually cracks encrypted passwords as it scans Enterprise Support • Is unique in that it also scans non-IP based networks, such as Net. Ware’s IPX/SPX and Net. BEUI protocols • Is tightly integrated with ESM Symantec Confidential

Integrated Host- & Network. Based Security Assessment Security is an on-going process Assessment gives you a baseline from which to build Two approaches to vulnerability assessment • Host-based (“privileged access”) • Network-based (“hacker’s view”) Each has it’s own benefits and limits Comprehensive vulnerability assessment includes a combination of both approaches • “…a combination of network- and host-based is critical. If you’re doing just one or the other, you’re missing half the elements. " • Information. Week, May 29, 2000 34 Symantec Confidential

ESM Application Security • ESM leads the market in OS-level security, vulnerability assessment and policy compliance • Now it is addressing mission-critical e-business components: Web Servers Databases Routers Firewalls Applications (ERP, CRM) • Integrate both host-based and network-based assessment for comprehensive coverage 35 Symantec Confidential

Applicationlevel security Applications e-Mail Servers Firewalls Network Components WAP Servers NAV Servers Web Servers Databases Net. Recon ESM Application Security Modules Architecture Single integrated view Operating Systems 36 Symantec Confidential Operating System security

Implementation ESM for Anti. Virus ESM for Web. Servers ESM for Oracle Net. Recon Current ESM Modules • Uses best of host-based and network-based technologies to provide complete assessment coverage Operating Systems 37 Symantec Confidential

Symantec Net. Recon 3. 5 Integration • Benefits • Displays Net. Recon scan data in ESM Console • Provides a central view of both host-based and network-based assessment and vulnerability data • Integrates Net. Recon data into ESM reports • ESM policies can launch Net. Recon scans using ICE • Provides trend analysis and other ESM features • Each release gets more integrated with ESM • . NRD file (v 2. 0) • CLI / ESM Console using ICE (v 3. 5) • Vulnerability correlation (future) 38 Symantec Confidential

ESM for Web. Servers Features • Network-based approach (hacker’s view) • Coverage of all major web servers and OSs • Apache • NT, W 2 K, XP • Microsoft IIS • Redhat Linux • Netscape • Unix (Solaris, AIX, HP-UX) • Addresses SANS / FBI Top 10 Internet Vulnerabilities • Combination of ESM host OS agent + ESM for Web. Servers = Comprehensive coverage 39 Symantec Confidential

ESM for Web. Servers Policy 40 Symantec Confidential

Assessment Methodology Shell Whois Printer FTP (20, 21) CGI / HTTP (80, 8080) POP 3 Echo Name DNS Web Server Netstat Gateway 41 Symantec Confidential Login SMTP

Best Practice Configuration Install an ESM Agent on each web server for hostbased checks • Covers ~80% of vulnerabilities • Ensures proper policy compliance • OS patches module most critical Install ESM for Web. Servers on a separate NT workstation, preferably on the same segment as the web server(s) • Covers ~20% of remaining vulnerabilities ESM policy options • One web server policy for tight data correlation • Multiple web servers per policy to assess a web server farm 42 Symantec Confidential

ESM for Oracle Features • First host-based database vulnerability assessment product on the market • Integrates into ESM at the application level • Supports Oracle versions 7. 3. x – 8. 0. 6 • Supported host systems • Sun Solaris 2. 4 – 2. 6 • IBM AIX 4. 1 – 4. 3. 1 (RS 6000) • HP-UX 10. 20 – 11. x • Digital Unix OSF 1 -AXP v 4. 0 d • Oracle 7. 3. 4 only 43 Symantec Confidential

ESM for Oracle Benefits • Extends policy compliance and management to critical systems • Assesses database for known vulnerabilities • Integrates database security into enterprise policy management picture 44 Symantec Confidential

Securing Oracle Instances d. B Inst. 1 d. B Inst. 2 d. B Inst. 3 Each Oracle instance may have different priority levels and different security vulnerabilities… ESM Console ESM for Oracle Server (Unix) ESM Agent 45 Symantec Confidential ESM Manager

ESM for Oracle Database Checks Coverage of key vulnerabilities associated with Oracle RDBMS Eight Oracle RDBMS assessment groups • • Access Group Accounts Group Auditing Group File Attributes Group Passwords Group Roles Group Startup Group Table Attributes Group Each group contains multiple key vulnerability checks 46 Symantec Confidential

ESM for NAV Servers Benefits • Best Practice policies to secure Norton Anti-Virus Corporate Edition servers • Shows synergy and value between Symantec and AXENT product integration • Free to maintenance paying ESM customers 47 Symantec Confidential

ESM for NAV Servers Architecture Client PC … Client PC ESM Enterprise Console ESM Manager Client PC - ESM for NAV CE Server - ESM Agent - ESM for NAV Servers Best Practice Policy 48 Symantec Confidential Client PC - Client PCs - ESM Agents

Security Updates SWAT Security Update Program • What: • Team of Security Professionals conducting research on vulnerabilities and delivering detection and countermeasure capabilities to IDv. A products. • How: • Security Updates are deployed via the web and Live Update. • Frequency: • ESM Security Updates are released quarterly. • Net. Recon Security Updates are released monthly. • In emergencies (DDo. S, Trin 00, etc. ), updates are available within several hours. • Track Record (2000): • ESM Security Updates added 260 new checks. • Net. Recon Security Updates added 350 new checks. • ESM for Web. Servers added 246 new checks. 49 Symantec Confidential

Final Thoughts • The SANS' Top Ten list identified CGI vulnerabilities as the #2 issue • Security analysts who conduct penetration studies indicate that 80% of break-ins occur because of: • 1) Out-of-date, unpatched systems and applications • 2) Easy-to-guess passwords • “For cyber security, 47% of consumers would like enhanced Web site security measures, safeguards for credit card information and privacy policies. ” (USA Today Snapshots – Nov. 27, 2000) • Follow best practices to achieve due care • Implement process to manage policy and incidents 50 Symantec Confidential

Thank You Harold Toomey htoomey@symantec. com 51