Vulnerability (computing) (794218), страница 2

Просмтор этого файла доступен только зарегистрированным пользователям. Но у нас супер быстрая регистрация: достаточно только электронной почты!

Текст из файла (страница 2)

One of the key concept of information security is the principle of defence in depth: i.e. to set up a multilayer defence system that can:

• prevent the exploit

• detect and intercept the attack

• find out the threat agents and prosecute them

Intrusion detection system is an example of a class of systems used to detect attacks.

Physical security is a set of measures to protect physically the information asset: if somebody can get physical access to the information asset is quite easy to made resources unavailable to its legitimate users.

Some set of criteria to be satisfied by a computer, its operating system and applications in order to meet a good security level have been developed: ITSEC and Common criteria are two examples.

Vulnerability disclosure

Responsible disclosure of vulnerabilities is a topic of great debate. As reported by The Tech Herald in August 2010, "Google, Microsoft, TippingPoint, and Rapid7 have recently issued guidelines and statements addressing how they will deal with disclosure going forward."^[26]

A responsible disclosure first alerts the affected vendors confidentially before alerting CERT two weeks later, which grants the vendors another 45 day grace period before publishing a security advisory.

full disclosure is done when all the details of vulnerability is publicized, perhaps with the intent to put pressure on the software or procedure authors to find a fix urgently.

Well respected authors have published books on vulnerabilities and how to exploit them: Hacking: The Art of Exploitation Second Edition is a good example.

Security researchers catering to the needs of the cyberwarfare or cybercrime industry have stated that this approach does not provide them with adequate income for their efforts.^[27] Instead, they offer their exploits privately to enable Zero day attacks.

The never ending effort to find new vulnerabilities and to fix them is called Computer insecurity.

Vulnerability inventory

Mitre Corporation maintains a list of disclosed vulnerabilities in a system called Common Vulnerabilities and Exposures, where vulnerability are classified (scored) using Common Vulnerability Scoring System (CVSS).

OWASP collects a list of potential vulnerabilities in order to prevent system designers and programmers from inserting vulnerabilities into the software ^[28]

Vulnerability disclosure date

The time of disclosure of a vulnerability is defined differently in the security community and industry. It is most commonly referred to as "a kind of public disclosure of security information by a certain party". Usually, vulnerability information is discussed on a mailing list or published on a security web site and results in a security advisory afterward.

The time of disclosure is the first date a security vulnerability is described on a channel where the disclosed information on the vulnerability has to fulfill the following requirement:

• The information is freely available to the public

• The vulnerability information is published by a trusted and independent channel/source

• The vulnerability has undergone analysis by experts such that risk rating information is included upon disclosure

Identifying and removing vulnerabilities

Many software tools exist that can aid in the discovery (and sometimes removal) of vulnerabilities in a computer system. Though these tools can provide an auditor with a good overview of possible vulnerabilities present, they can not replace human judgment. Relying solely on scanners will yield false positives and a limited-scope view of the problems present in the system.

Vulnerabilities have been found in every major operating system^{[citation needed]} including Windows, Mac OS, various forms of Unix and Linux, OpenVMS, and others. The only way to reduce the chance of a vulnerability being used against a system is through constant vigilance, including careful system maintenance (e.g. applying software patches), best practices in deployment (e.g. the use of firewalls and access controls) and auditing (both during development and throughout the deployment lifecycle).

Examples of vulnerabilities

Vulnerabilities are related to:

• physical environment of the system

• the personnel

• management

• administration procedures and security measures within the organization

• business operation and service delivery

• hardware

• software

• communication equipment and facilities

• and their combinations.

It is evident that a pure technical approach cannot even protect physical assets: you should have administrative procedure to let maintenance personnel to enter the facilities and people with adequate knowledge of the procedures, motivated to follow it with proper care. see Social engineering (security).

Four examples of vulnerability exploits:

• an attacker finds and uses an overflow weakness to install malware to export sensitive data;

• an attacker convinces a user to open an email message with attached malware;

• an insider copies a hardened, encrypted program onto a thumb drive and cracks it at home;

• a flood damages your computer systems installed at ground floor.

Software vulnerabilities

Common types of software flaws that lead to vulnerabilities include:

• Memory safety violations, such as:

  • Buffer overflows

  • Dangling pointers

• Input validation errors, such as:

  • Format string attacks

  • SQL injection

  • Code injection

  • E-mail injection

  • Directory traversal

  • Cross-site scripting in web applications

  • HTTP header injection

  • HTTP response splitting

• Race conditions, such as:

  • Time-of-check-to-time-of-use bugs

  • Symlink races

• Privilege-confusion bugs, such as:

  • Cross-site request forgery in web applications

  • Clickjacking

  • FTP bounce attack

• Privilege escalation

• User interface failures, such as:

  • Warning fatigue [2] or user conditioning [3]

  • Blaming the Victim Prompting a user to make a security decision without giving the user enough information to answer it [4]

  • Race Conditions [5] [6]

Some set of coding guidelines have been developed and a large number of static code analysers has been used to verify that the code follows the guidelines.

See also

• Browser security

• Computer emergency response team

• Information security

• Internet security

• Mobile security

• Vulnerability scanner

References

1. ^ "The Three Tenents of Cyber Security". U.S. Air Force Software Protection Initiative. Retrieved 2009-12-15.

2. ^ Foreman, P: Vulnerability Management, page 1. Taylor & Francis Group, 2010. ISBN 978-1-4398-0150-5

3. ^ ^{a b} ISO/IEC, "Information technology -- Security tecniques-Information security risk management" ISO/IEC FIDIS 27005:2008

4. ^ British Standard Institute, Information technology -- Security techniques -- Management of information and communications technology security -- Part 1: Concepts and models for information and communications technology security management BS ISO/IEC 13335-1-2004

5. ^ ^{a b c} Internet Engineering Task Force RFC 2828 Internet Security Glossary

6. ^ CNSS Instruction No. 4009 dated 26 April 2010

7. ^ a wiki project devoted to FISMA

8. ^ FISMApedia Vulnerability term

9. ^ NIST SP 800-30 Risk Management Guide for Information Technology Systems

10. ^ Risk Management Glossary Vulnerability

11. ^ Technical Standard Risk Taxonomy ISBN 1-931624-77-1 Document Number: C081 Published by The Open Group, January 2009.

12. ^ ^{a b} "An Introduction to Factor Analysis of Information Risk (FAIR)", Risk Management Insight LLC, November 2006;

13. ^ Matt Bishop and Dave Bailey. A Critical Analysis of Vulnerability Taxonomies. Technical Report CSE-96-11, Department of Computer Science at the University of California at Davis, September 1996

14. ^ Schou, Corey (1996). Handbook of INFOSEC Terms, Version 2.0. CD-ROM (Idaho State University & Information Systems Security Organization)

15. ^ NIATEC Glossary

16. ^ ^{a b} Wright, Joe; Jim Harmening (2009) "15" Computer and Information Security Handbook Morgan Kaufmann Publications Elsevier Inc p. 257 ISBN 978-0-12-374354-1

17. ^ ISACA THE RISK IT FRAMEWORK (registration required)

18. ^ ^{a b c d e} Kakareka, Almantas (2009) "23" Computer and Information Security Handbook Morgan Kaufmann Publications Elsevier Inc p. 393 ISBN 978-0-12-374354-1

19. ^ Technical Report CSD-TR-97-026 Ivan Krsul The COAST Laboratory Department of Computer Sciences, Purdue University, April 15, 1997

20. ^ The Web Application Security Consortium Project, Web Application Security Statistics 2009

21. ^ Ross Anderson. Why Cryptosystems Fail. Technical report, University Computer Laboratory, Cam- bridge, January 1994.

22. ^ Neil Schlager. When Technology Fails: Signi cant Technological Disasters, Accidents, and Failures of the Twentieth Century. Gale Research Inc., 1994.

23. ^ Hacking: The Art of Exploitation Second Edition

24. ^ Kiountouzis, E. A.; Kokolakis, S. A. Information systems security: facing the information society of the 21st century London: Chapman & Hall, Ltd ISBN 0-412-78120-4

25. ^ Bavisi, Sanjay (2009) "22" Computer and Information Security Handbook Morgan Kaufmann Publications Elsevier Inc p. 375 ISBN 978-0-12-374354-1

26. ^ The Tech Herald: The new era of vulnerability disclosure — a brief chat with HD Moore

27. ^ Blog post about DLL hijacking vulnerability disclosure

28. ^ OWASP vulnerability categorization

External links

• Security advisories links from the Open Directory http://www.dmoz.org/Computers/Security/Advisories_and_Patches/

Характеристики

Список файлов реферата