• Solutions
  • Solutions Overview
    • About Our Solutions
    • Determine Exposure to Real-World Threats
    • Perform Continual, Automated Testing
    • Assess Security Across IT Layers
    • Validate Security Controls
    • Connect Security Data to Business Risk
  • Solutions by Industry
    • Financial Services
    • Government
    • Health Care
      • Respond to the HITECH ACT
      • Validate HIPAA Compliance
      • Limit Unauthorized Insider Activities
      • Maximize limited security staffing
      • Drive down Web-based Security Risks
      • Insulate Your Networks from Unauthorized Devices
      • Diminish the Impact of Social Engineering
      • Validate security investments
    • Higher Education
      • Overview
      • Assess exposure to potential data breaches
      • Insulate networks from unmanaged devices
      • Limit unauthorized insider activities
      • Drive down web-based security risks
      • Maximize limited security staffing
      • Diminish the impact of social engineering
      • Validate security investments
      • Meet compliance demands
    • Retail
  • Solutions for Compliance
    • CAG
    • FFIEC
    • FISMA / NIST
      • NIST 800-137
      • NIST 800-39
      • NIST 800-53
    • GLBA
    • HIPAA
    • PCI
    • SOX
    • Validate Security Controls
• Products
  • Products Overview
  • CORE INSIGHT Enterprise
    Security Intelligence Solution
    • Overview
    • How It Works
    • Dashboards
    • Reports
    • What's New
    • Demos
      • CORE Insight Videos
    • Data Sheets and White Papers
    • Comparing CORE INSIGHT to CORE IMPACT
    • How to Buy
  • CORE IMPACT Pro
    Penetration Testing Software
    • Overview
    • What It Tests
      • End-User Security Awareness
      • Endpoint Systems
      • Mobile Devices
      • Network Devices
      • Network Systems
      • Web Applications
      • Wireless Networks
      • IPS/IDS, Firewalls and Other Defenses
      • Vulnerabilities Identified by Scanners
    • Commercial-Grade Exploits
      • Overview
      • Recent Exploits and Updates
      • How Our Exploits Work
      • About Our Client-Side Exploits
      • About Our Agents
    • Vulnerability Scanner Integration
    • Reporting
    • What's New
      • Version 12.3
      • Version 12
      • Version 11
    • Demos
      • Impact
    • Data Sheets, White Papers and Other Resources
    • Intro To Penetration Testing
      • What Is Penetration Testing?
      • Comparing Security Testing Options
      • What To Look For
      • Independent Penetration Testing Resources
      • Conducting Penetration Tests
    • Comparing CORE IMPACT to CORE INSIGHT
    • Training, Certification and Support
    • How to Buy
  • Core WebVerify Web
    Application Security Testing Software
    • Overview
    • Web Application Vulnerability Coverage
    • WebVerify vs. Scanners
    • Reveal Implications of Application Vulnerabilities
  • Core CloudInspect Cloud Security Testing for AWS
  • Demos and Evaluations
  • The Research Behind Our Products
  • Why Our Products are Safe
  • How to Buy
• Services
  • Services Overview
  • Core Security Consulting
    Services
    • Overview
    • Comprehensive Penetration Testing
    • Application Penetration Testing
    • Web Services Security Assessment
    • Source Code Auditing
    • Wireless Penetration Testing
    • Leading-Edge Technology Testing
    • How to Buy
  • CORE IMPACT Professional Services
    • Overview
    • Web Application Penetration Testing Services
    • Network Penetration Testing Services
    • Client-Side Penetration Testing Services
    • Wireless Network Penetration Testing Services
    • Benefits
    • How to Buy
• CoreLabs Research
  • CoreLabs Overview
  • Research Projects
  • Advisories
  • Publications
    • Presentations and Papers
    • Journals and Magazines
    • Internet Articles
  • Open Source Projects
  • CoreLabs Extranet Site
• News & Events
  • News & Events Overview
  • Events and Webcasts
    • Webcasts
    • Conferences
    • Speaking Engagements
  • News
    • Press Releases
    • In The News
  • Reviews
  • Awards
• Partners
  • Partners Overview
  • Strategic Partners
    • Business Partners
    • Technology Partners
  • Training Partners
    • CICT Training and Certification
  • Using Core's Products in Your Consulting Practice
• Company
  • Company Overview
  • Management Team
  • Board of Directors
  • Customers
    • Success Stories
  • Careers
  • Contact Us
• Blog
• Customer Portal

• CoreLabs Research

• CoreLabs Overview

• Research Projects

• Advisories

• Publications
• Presentations and Papers
• Journals and Magazines
• Internet Articles

• Open Source Projects

• CoreLabs Extranet Site

SHARE

By Ivan Arce, CTO, Core Security Technologies

Over the past 5 years the information security landscape has changed substantially. New technologies that seamlessly interconnect a wide range of network-able devices over IP protocol-based networks, the rapid adoption of wireless and peer-to-peer networking, the widespread use of web application development frameworks to provide web services and the increasing number of organizations using VoIP solutions for mission-critical communications depict a more complex and technologically dependant new world.
At the core of this interconnected world runs what is perhaps the ultimate human invention of the modern era: Software.

Software, as with any other human creation, is imperfect. This will not be a surprising revelation to the reader; yet it seems hard to accept that the modern world is founded on shaky, and possibly flawed, technology. Unfortunately a handful of the devastating information security incidents of the past years has forced us to come to grips with the reality of our flawed software creations.

The quest for flawless software is futile. Software will always be imperfect, and as information security practitioners, our job is to achieve reasonable security using imperfect tools. To better define what is reasonable security, we would benefit from understanding current and future security flaws of our software and the possible avenues of attack they provide. My premise is that to win the information security “chess game,” any strategy must encompass both the offense and defense viewpoints. With that in mind, let’s examine what proved to be the principal attack trend of the past year.

The weakest link
It is often said that a security infrastructure is as strong as its weakest link. Today the end-user workstation is undoubtedly the weakest component of any network security infrastructure. Desktop computers provide direct - and often un-mediated - access to the entire enterprise network for legitimate users. They comprise a live repository of a large number of software applications that have very diverse functionality and usually lax security controls.

Implementing and enforcing security at the desktop computer usually faces strong end-user resistance since users prioritize usability, functionality and performance over security. Users want to get their work done, but not necessarily in a secure fashion.

Endpoint security and client-side attacks
Attackers that don’t lack common sense, and who have the same basic motivation and ingenuity of any modern day technologist, will rapidly spot the workstation as the obvious target for their deeds. Why bother trying to compromise tightly scrutinized backend or DMZ servers when one can go directly after workstations sitting at the internal edge of a protected network and then “own” the entire net?

While network devices and mission-critical servers are (hopefully) under the strict control and scrutiny of IT security staff, desktop computer security is ultimately in the hands of end users who are not necessarily security-conscious or even security-aware. A broad range of client applications needs to run on any workstation that seeks to be a productive tool for its users. The paradigmatic client applications, the web browser and the mail user agent are good examples of rapidly growing attack targets for directed and undirected attacks. A cursory inspection at the list of recently disclosed vulnerabilities and known attacks will reveal that all popular email and web browser client applications had a substantial amount of security flaws discovered in the past years:

A quick search on the CVE vulnerability database at Mitre (http;//cve.mitre.org) reveals roughly 334 entries associated to Microsoft’s Internet Explorer since 1999, 102 entries associated with Mozilla’s web browsers, 92 entries for Microsoft’ Outlook and Outlook Express, 18 for the Eudora mail client.

These do not standalone in the group of attack-prone programs at the workstation. It is quite likely that these numbers are just the tip of a massive iceberg of vulnerable client applications that also include media player packages, instant messaging software, document viewers, file compressing, encryption and format parsing component libraries, office productivity tools and a myriad of other applications.

Incidents related to client-side attacks that involve software flaws or social engineering tricks that induce users to execute malware delivered to their client applications are common and steadily rising. The proliferation of viruses, worms, spyware, bots and zombie agent software, rootkits and other various forms of malware indicate that today the information security chess game is being played at the workstation. Better workstation defenses are needed, but with the immense number of endpoint security options available it is not clear which ones to adopt.

The answer may come if we adopt the attacker’s point of view: What is the most troublesome defense technology for a determined attacker?

Code injection attacks still prevalent
Despise the ongoing efforts from OS vendors to deploy protection technology to prevent external (and potentially malicious) code from executing on vulnerable systems, code injection attacks are still the most prevalent threat in IT environments today. Code execution protection technology raised the technical bar for attackers and consequently triggered rapid evolution of exploitation techniques. This ongoing arms race could explain the emergence of attacks that rely on sophisticated ways to trigger the execution of malicious code once it has been injected into the target system and the notable improvement of exploit payloads that are more reliable, have a smaller footprint, require developer to have in-depth technical knowledge of the underlying operating system’s internals and are substantially less visible at the network layer. However, these more sophisticated techniques hardly represent a revolutionary advance in malicious code injection and execution methods: instead, they are an effective refinement of an attack methodology that has matured during the past 10 years since the emergence of the now classic shellcode for stack-based buffer overflow exploitation in the mid-90s. The prevalent attack paradigm has not changed, but the attacker’s technologies and techniques to implement it have evolved and matured as much as it seemed necessary to cope with the increasingly difficult security mechanisms deployed in modern operating systems.
Modern attack tools have adopted common software engineering practices that improve code development: testing and maintenance by isolating attack functionality in re-usable components that can be easily “glued” together to achieve specific design goals.

Generic frameworks for command & control of compromised systems are publicly available to Internet users. These frameworks can be combined with one or many specific exploits for any recently disclosed vulnerability to build a customized and powerful ad-hoc exploitation tool. Furthermore, exploit code itself has adopted the form of several re-usable components that run in a bootstrapping sequence of code fragments until fully functional multi-purpose agents are loaded on compromised systems. Today it is clear those attackers and their attack technology are much more sophisticated that 10 years ago and there are no signs that indicate the trend will not continue in the foreseeable future.

Therefore, endpoint security options that prevent malicious code injection and execution are still a plausible priority for the short and mid-term security strategy. Injection of malicious code into a workstation may take various forms, but the common vectors of attack are:

· “direct injection” – for example, by exploiting software flaws in OS components or workstation applications
· “assisted injection” – for example, by tricking the end-users or network systems into downloading the malicious code to the workstation or by injecting malicious code using legitimate access rights to the target system.

In view of the constant increase in the number of software bugs discovered in client applications and the, so far, unsuccessful attempts to prevent “assisted injection,” it is implausible to think that we will close all possible attack vectors for malicious code injection in the short term. Thus code injection prevention should be thought as a mitigating, but incomplete, solution. OS hardening, diligent patching, reduction of the code-injection surface and – hopefully – early squashing of software bugs by OS and third-party application vendors will go a long way towards improving the overall security posture but it is also reasonable to think that in the short term attackers will still to be able to inject malicious code into the systems they target.

Thus preventing execution of malicious code that already resides on workstations (after it was injected by any possible means) should be a complementing part of any solution. Several ongoing efforts seek to solve this issue. Memory firewalls, data execution prevention (DEP) technology, process address space randomization, execution guards for stack and heap memory and application virtualization present a challenging landscape for attackers. However, they are still insufficient in the face of complex OS architectures that implement various forms of obscure inter-process communications and that enable developers to execute code using multiple and sometimes unexpected APIs. We should assume that although the security mechanisms that prevent malicious code execution will significantly raise the security bar for attackers, there still will some available avenues for exploitation.

Therefore malicious code containment, that is isolating and containing the effects of malicious code once it already executed on the workstation, is the third required component of a multi-pronged strategy to enhance an organization’s security posture.
Once executed on the target system, the malicious code will try to accomplish the attacker’s goal, that for which it was designed. If the proper security mechanisms exist to prevent achieving the desired goal, the motivation for targeted attacks diminishes. The rationale here is that, for an attacker, it is worthless to compromise systems that can’t be used to achieve his or her goals.

Limiting outbound connectivity to prevent the command & control capabilities of malware and enforcing applications to exercise “good-behavior” by isolating and mediating their usage of system resources, coupled with code injection and execution prevention, could foil a substantial portion of today’s attacks.

The workstation may be the weakest link in the security infrastructure but, unfortunately, it is not the only weak link, so let’s move on and look at other concerning threats.

New attack vectors
The deployment of modern networking technologies such as WiFi and Bluetooth, as well as the general adoption of many network-able devices that use them, such as PDAs, cellular phones, MP3 players, wireless access points and SOHO router/switches, set-top boxes and gaming consoles to mention just a few, have opened new avenues for attacks.

In addition to servers and desktop computers, the traditional scope of concern for information security practitioners needs to expand and include these devices and their networking capabilities. To make the things worse, the underlying security flaws in base protocols and their specific implementations in the network-able new gadgets are no-doubt less known and less mature than those of servers and workstations.

These new vectors will not past unnoticed to the attacker viewpoint as evidenced by recent research results and some known incidents. Passive and active attacks through Bluetooth and 802.11 wireless networks, arbitrary code execution on the embedded operating systems run by SOHO routers and switches, exploitation of operating system software using Firewire and USB ports, malware that runs on PDAs and cellular phones and malicious code injection and execution on printers are no longer theoretical threats and are quite likely to become a growing threat in the near future.

It is highly risky to assume without solid justification that all these new gadgets are inherently more secure or less threatening than networked servers and workstations, which are usually thought-of as the typical source of attacks. Security mechanisms and plausible work-around actions for these new attack vectors are still in an embryonic stage, so keep an eye on the attack and defense moves in this field.

Where do we go from here?
Workstation security woes and the plausible threat of new gadgets connected to our networks are examples of a clear and present danger to network security infrastructure. But they also hint at problems that could permeate to components of even more critical infrastructures that provide the technological fabric of our modern societies.
The impulsive adoption of critical infrastructure technologies reliant on ubiquitous devices that run feature-rich software with networking components on embedded operating systems that may not be ready for security prime time could be like consciously seeding a fertile field and wishing not to harvest serious security nightmares within a few years.

A quick look at ongoing IT initiatives in many organizations will reveal that Voice over IP (VoIP) and Supervisory Control and Data Acquisition (SCADA) systems are likely targets for strict security scrutiny.

Watch them like a hawk! It may not be too late to build in strong security instead of having no option but to smear feeble security solutions all over it in the near future.

Related Link: Peltier Associates, http://www.peltierassociates.com/december2005.pdf

_________________

Ivan Arce is the Chief Technology Officer of Core Security. He has three patents to his credit, also writes for numerous technical publications, speaks frequently at industry events and is commonly quoted in industry publications. He also currently serves as the Associate Editor of the IEEE Security & Privacy Magazine and as Project Advisor to the Open Web Application Testing Project.