Software Vulnerability Control
A software vulnerablilty is some defect (commonly called a "bug") in software which may allow a third party or program to gain unauthorized access to some resource. Software vulnerability control is one of the most important parts of computer and network security for the following reasons.
- Virus programs use vulnerabilities in operating system and application software to gain unauthorized access, spread, and do damage.
- Intruders use vulnerabilities in operating system and application software to gain unauthorized access, attack other systems, and do damage.
- Some software itself may be hostile.
If software vulnerabilities did not exist, I believe that viruses would not exist and gaining any unauthorized access to resources would be very difficult indeed. The primary tools for unauthorized access would then become:
- Trojan horse programs (described below)
- Network sniffing.
- Password cracking through network sniffing.
- Man in the middle attacks.
Most unauthorized access would then most likely be done by employees of the organization or the unauthorized access would be due to very sloppy firewall administration or user error.
There are several countermeasures that may help ensure that unauthorized and possibly hostile virus or trojan software does not run on your systems. These countermeasures also limit the scope of the vulnerability. Countermeasures include:
- Run virus scan software on every organizational computer and update the virus scan database at least twice per week. Perform a full scan at least once per week.
- Keep software security patches updated - Get on computer security advisory mailing lists and update applicable software. With some systems such as Windows systems you can set up a server to automatically update systems on your network. One way to do thin in Windows 2000 systems and above is to use a systems update server (SUS) and set your Windows domain policies to have all computers regularly updated with approved updates as they are released by Microsoft.
- Only allow approved software to be run on your computer systems so hostile trojan programs are not run. This may involve locking your users down so they cannot install software on their computer systems.
- Limit services on all servers and workstations to the minimum required. Be sure the network administrator is aware of all operating services especially on all servers.
- Run vulnerability scanners both inside and outside your network to find computers with vulnerabilities so you will know which ones need patched. The cost of this should be weighed against the security need.
Running Virus Scan Software
Virus scan software should be run on every computer within the organization. This will detect known viruses when they attempt to infiltrate the system if the virus scan software is setup correctly. Keep in mind however that virus scan software will only detect viruses in its database, so there are two concerns:
- Unknown viruses will not be stopped by the scanner - This is why patching applications is very important. Patching applications will help eliminate the vulnerabilities that virus programs will exploit.
- The virus database must be updated at least weekly so as new viruses are discovered, they will be found by your virus scanner programs. these updates may be downloaded from the maker of the virus scan software. They are normally executable files which update the database on the client computers. The executable file can be placed in the user's network login script program so it will run when they boot their system. In some cases it may be best to test the virus update before runing it on the entire system.
To be most effective, virus scanner programs should be set up to do the following:
- Perform regular weekly or monthly scans of the entire computer system's local drives.
- Scan all files when a scan is performed and don't allow any exclusions of any directories such as the recycle bin.
- Be sure to prompt for user action when a virus is found. this way the user is more likely to be aware of where the virus came from and they can call your IT staff.
- Set the system to scan files when a file is run, copied, renamed or created.
- Set up e-mail scanning to scan e-mail attachments. this can also be done at the firewall, but should be done at least either at the firewall or on all client computers. Scanning at both locations may be a good idea if it is feasible.
- You may also want to scan web content for hostile content either at the firewall or client computer depending on your setup. You should know that scanning for hostile e-mail or web content on the firewall may overburden your firewall. Many firewall organizations recommend that the scanning be done on a separate computer. How this is done will depend on your situation, but you should at least determine the process load on the firewall before adding this capability.
All virus incidents should be logged for future reference.
Update Software Security Patches
This process involves several steps which include:
- Know your software configuration on all systems. This can be most easily done with a database with information about all computers and software in the organization. The following information is required to have the ability to update software with security patches:
- What each computer is used for.
- The version of the operating system and the maker of the operating system.
- The last update to the operating system.
- The maker and version of all applications run on the system.
- The last update to each application.
- A list of or knowledge of services running on each system. A service is performed by a particular program on the system. an example is a service that allows network logons to the system.
- A list of, or knowledge of network ports on each computer system that may be active and any associated service. A network port is a number which is used for networking to direct a network transmission to a particular program to be processed.
- Get on computer security advisory mailing lists and update applicable software. Some of the websites associated with these lists can be found in the "websites" area of the security section of the Computer Technology Documentation Project.
- Evaluate security advisory bulletins - When security advisories come in, they will mention security vulnerabilities in operating systems or application software. Many of these vulnerabilities may be associated with web browser programs or Microsoft operating systems or applications. Sometimes the vulnerability is associated with a service on a platform such as Unix or Linux. The administrator must evaluate whether your organization is using this software and whether the vulnerability is a security risk to your organization. The steps at this point should be similar to:
This is not an endorsement of Microsoft or Windows 2000, but as a certified engineer, I am aware that making patches to applications is much simpler when running a Windows 2000 network. Patches may be applied on the server and the updates can be loaded the next time users boot or use the applications. This can save a vast amount of time for systems administrators allowing them to concentrate on their jobs more fully.
- The administrator determines whether there is risk.
- The administrator should determine the amount of risk and possible damage. This may be presented to management. If management is involved in this decision process, some methodology must be worked out between the administrator and management which allows the risk to be categorized. This will allow more sound decision making. In order for the network to be secure, the decision to apply the patch cannot be left strictly to non-technical management.
- If necessary the administrator and management will decide whether to apply the patch
- If the security vulnerability is a threat, the patch should be applied as soon as possible.
Only approved software should be operated on the organization's network. This is so hostile programs cannot gain access to the network. Hostile programs may be written with some useful functionality, but may perform a hidden task that the user is not aware of. This type of hostile program is normally called a "Trojan Horse". The ways to help determine whether a program is hostile may include:
- Does the progam come from a reliable source?
- Is there proof that the program came from the source such as a digital signature?
- If the source code is available for the program, the code may be checked to be sure there is no hostile content.
- A reliable third party may be able to check out the software and certify that it is safe.
- Does the creater of the program attempt to hide their identity? If the creator of the program attempts to hide their identity then there may be reason for suspicion. If the program creater does not hide their identity and can be reached, it is less likely that the program is a hostile program.
- Has this program been run by other people or organizations for some period of time with no adverse consequences?
Some of the above issues are not proof that a program is safe, but are merely indicators. As mentioned earlier, computer security is not an exact science and it is a matter of reducing the chance of an intrusion. Probably the best method of being sure of the reliability of a program is to allow a reliable third party to check the program. I believe it is likely that these kind of services may become more popular in the future. Program writers may even send source code to these service providers for certification with source code covered by a nondisclosure agreement.