PROACTIVE SECURITY

Network Security April 200514

Vendor bandwagonNevertheless the vendors do seem to have decided that proactive securityis one of the big ideas for 2005, andthere is some substance behind thehype. Cisco for example came out with a product blitz in February 2005under the banner of Adaptive ThreatDefence. IBM meanwhile has been promoting proactive security at the

lower level of cryptography and digitalsignatures, while Microsoft has beenworking with a company calledPreEmptive Solutions to make its codeharder for hackers to reverse engineer

from the compiled version. The dedi-cated IT security vendors have alsobeen at it. Internet Security Systemshas been boasting of how its customershave benefited from its pre-emptiveprotection anticipating threats beforethey happen. And Symantec hasbrought to market the so-called digitalimmune system developed in a jointproject with IBM.

UnreactiveThese various products and strategiesmight appear disjointed when takentogether, but they have in common thenecessary objective of moving beyondreaction, which is no longer tenable inthe modern security climate. The crucialquestion is whether these initiatives real-ly deliver what enterprises need, which isaffordable pre-emptive protection. If thesolutions extract too great a toll oninternal resources through need for con-tinual reconfiguration and endless analy-sis of reports containing too many falsepositives, then they are unworkable.Proactive security has to be as far as pos-sible automatic.

On this count some progress has beenmade but there is still a heavy onus onenterprises to actually implement proac-tive security. Some of this is inevitable,for no enterprise can make its networksecure without implementing some goodhousekeeping measures. The productscan only deliver if they are part of acoherent strategy involving analysis ofinternal vulnerabilities against externalthreats.

Indeed this is an important first steptowards identifying which products arerelevant. For example the decline inperimeter security as provided by fire-walls has created new internal targetsfor hackers, notably PCs, but alsoservers that can be co-opted as stagingposts for attacks. There is also the riskof an enterprise finding its servers orPCs exploited for illegal activities suchas peer-to-peer transfer of software,music or even video, without its knowl-edge. Identifying such threats andputting appropriate monitoring tools inplace is an important first step alongthe pre-emptive path.

Stop the exploitationHowever some of the efforts beingmade will benefit everybody and comeautomatically with emerging releases ofsoftware. Microsoft’s work withPreEmptive Solutions springs to mindhere, as the technology concerned isincluded with Visual studio 2005. This technology called DotfuscatorCommunity Edition is designed tomake the task of reconstituting source code from the compiled objectcode practically impossible, so thathackers are unlikely to try. Of coursethe risk then becomes of the sourcecode itself being stolen, but that isanother matter.

Sharing private keysThe principle of ducking and weavingto evade hackers can also be extendedto cryptography. The public key systemis widely used both to encrypt sessionkeys and also for digital signatures. The latter has become a target forfinancial fraudsters because if they steal

Philip Hunter

Proactive security sounds at first sight like just another marketinggimmick to persuade customers to sign for up for yet another false dawn. After all proactivity is surely just good practice, protecting in advance against threats that are known about, likebolting your back door just in case the burglar comes. To someproactive security is indeed just a rallying call, urging IT managersto protect against known threats, and avoid easily identifiable vulnerabilities. All too often for example desktops are not properly monitored allowing users to unwittingly expose internalnetworks to threats such as spyware. Similarly remote executioncan be made the exception rather than the default, making it harder for hackers to co-opt internal servers for their nefariousends.

Proactive securitylatest: vendors wirethe cage but hasthe budgie flown….

“Proactive

security has

to be

automatic ”

Philip Hunter

PROACTIVE SECURITY

someone’s private key they can writethat person’s digital signature, therebyeffecting identify theft. But here toorisks can be greatly reduced throughpro-activity. An idea being developed byIBM involves distributing private keysamong a number of computers ratherthan just one. Then the secret key canonly be invoked, whether for a digitalsignature or to decrypt a message, with

the participation of a number of com-puters. This makes it harder to steal thekey because all the computers involvedhave to be compromised rather thanjust one. In practice it is likely that atleast one of the computers will besecure at any one time – at least such isthe theory. This development comes ata time of increasing online fraud andmounting concerns over the security ofdigital signatures.

BuglifeThere is also scope for being proactivewhen it comes to known bugs or vul-nerabilities in software. One of themost celebrated examples came in July2002 when Microsoft reported vulnera-bility in its SQL Server 2000Resolution Service, designed to allowmultiple databases to run on a singlemachine. There was the potential tolaunch a buffer overflow attack, inwhich a hacker invokes execution ofcode such as a worm by overwritinglegitimate pointers within an applica-tion. This can be prevented by codethat prohibits any such overwriting, butMicrosoft had neglected to do so withinResolution Service. However Microsoftdid spot the vulnerability and reportedit in July 2002. One security vendor,

Internet Security Systems, was quick off the mark, and in September 2002distributed an update that providedprotection. Then in January 2003 camethe infamous Slammer Worm exploitingthis loophole, breaking new groundthrough its rapid propagation, doublingthe infected population every 9 secondsat its height. The case highlighted the potential for pre-emptive action,but also the scale of the task in distrib-uting the protection throughout theInternet.

Open disclosureAnother problem is that some softwarevendors fail to disclose vulnerabitieswhen they do occur, through fear ofadverse publicity. This leads to delay inidentifying the risks, making it evenharder to be proactive. It makes sensetherefore for enterprises to buy softwareonly where possible from vendors thatpractice an open disclosure policy. Manysuch disclosures can be found on theBUGTRAQ mailing list, but a numberof vendors, and in some cases even sup-pliers of free software when there wouldseem nothing to gain by it, hide issuesfrom their users. There is however acounter argument in that public dissemi-nation of vulnerabilities actually helpsand encourages potential hackers. Butthere is the feeling now that in generalthe benefits of full disclosure outweighthe risks.

Patch itBe that as it may the greatest challengefor proactive security lies in respondingand distributing patches or updates toplug vulnerabilities within ever decreas-ing time windows. As we just saw theSlammer worm took six months arrive,and the same was true for Nimda. Thisleft plenty of time to create patches andwarn the public, which did reduce theimpact. But the window has sinceshortened significantly – a study byQualys, which provides on-demand vul-nerability management solutions,reported in July 2004 that 80% ofexploits were enacted within 60 days ofa vulnerability’s announcement. In

some cases now it takes just a week ortwo, so the processes of developing anddistributing patches need to be speededup. Ideally service providers shouldimplement or distribute such protectionautomatically.

ConclusionProactive security also needs to be flexi-ble, adapting to the changing threatlandscape. A good example is the case oftwo-factor security, in which static pass-words are reinforced by tokens generat-ing dynamic keys on the fly. This hasbeen the gold standard for controllinginternal access to computer systemswithin the finance sector for well over adecade, but recently there have beenmoves to extend it to consumer Internetbanking. But some experts reckon this isa waste of money because it fails to

address the different threats posed byInternet fraudsters. These include manin the middle attacks which capture theone time key as well as the static pass-words and replay both to the onlinebank. So it may be that while two-factorsecurity will reduce fraud through guess-ing or stealing static passwords, the costof implementing it across a customerbase will outweigh the benefits, giventhat vulnerabilities remain. But nobodyis suggesting that proactive securityavoids hard decisions balancing solutions against threats and cost ofimplementation.

April 2005 Network Security15

“Many suppliers

hide issues

from users ”

“There have

been moves

to extend

two- factor

authentication

to Internet

banking”