Network Security Organizations

This section primarily examines some of the exploits and vulnerabilities available to attackers. Prior to that though, it is important to look at where you can go to learn about vulnerabilities and other security-related information; several organizations are covered with the descriptions “in their own words” direct from their websites.

At one time, each vendor or manufacturer was responsible for tracking all the vulnerabilities that affected its products. The result was that different companies would report that same vulnerability, thereby causing some confusion—or perhaps they would not acknowledge the vulnerability until it became public. The network security industry realized that this was not efficient, and it created common vulnerabilities and exposures (CVE). Do not misunderstand; CVE is not a database of vulnerabilities, but a dictionary that defines its role as follows:

Common Vulnerabilities and Exposures (CVE [www.cve.mitre.org/]) is a dictionary of common names (i.e., CVE identifiers) for publicly known information security vulnerabilities, while its Common Configuration Enumeration (CCE) provides identifiers for security configuration issues and exposures.

CVE’s common identifiers makes it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization’s security tools. If a report from one of your security tools incorporates CVE Identifiers, you may then quickly and accurately access fix information in one or more separate CVE-compatible databases to remediate the problem.

CVE is

• One name for one vulnerability or exposure

• One standardized description for each vulnerability or exposure

• A dictionary rather than a database

• How disparate databases and tools can “speak” the same language

• The way to interoperability and better security coverage

• A basis for evaluation among tools and databases

• Free for public download and use

• Industry-endorsed via the CVE Editorial Board and CVE-Compatible Products

CERT Coordination Center

The CERT Program (www.cert.org/) is part of the Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania. Following the Morris worm incident, which brought 10 percent of Internet systems to a halt in November 1988, the Defense Advanced Research Projects Agency (DARPA) charged the SEI with setting up a center to coordinate communication among experts during security emergencies and to help prevent future incidents. This center was named the CERT Coordination Center (CERT/CC).

While CERT continues to respond to major security incidents and analyze product vulnerabilities, our role has expanded over the years. Along with the rapid increase in the size of the Internet and its use for critical functions, there have been progressive changes in intruder techniques, increased amounts of damage, increased difficulty of detecting an attack, and increased difficulty of catching the attackers. To better manage these changes, the CERT/CC is now part of the larger CERT Program, which develops and promotes the use of appropriate technology and systems management practices to resist attacks on networked systems, to limit damage, and to ensure continuity of critical services.

SANS

The SANS (SysAdmin, Audit, Network, Security) Institute (www.sans.org/) was established in 1989 as a cooperative research and education organization. Its programs now reach more than 165,000 security professionals around the world. A range of individuals from auditors and network administrators to chief information security officers are sharing the lessons they learn and are jointly finding solutions to the challenges they face. At the heart of SANS are the many security practitioners in varied global organizations from corporations to universities working together to help the entire information security community.

Many of the valuable SANS resources are free to all who ask. They include the popular Internet Storm Center (the Internet’s early warning system), the weekly news digest (NewsBites), the weekly vulnerability digest (@RISK), flash security alerts, and more than 1,200 award-winning, original research papers.

Center for Internet Security (CIS)

The mission of the Center for Internet Security (CIS) is to establish and promote the use of consensus-based standards to raise the level of security and privacy in Internet-connected systems, and to ensure the integrity of the business, government, and private Internet-based functions and transactions on which society increasingly depends. CIS (http://cisecurity.org) is an independent organization governed by a volunteer board of directors; it is not owned or controlled in full or part by any corporation or government entity.

CIS develops and distributes the following:

• Security configuration benchmarks describing consensus best practices for the secure configuration of target systems. Configuring IT systems in compliance with these benchmarks has been shown to eliminate 80 percent to 95 percent of known security vulnerabilities. The benchmarks are globally used and accepted as the de facto user-originated standard for IT security technical controls.

• Benchmark audit tools for assessing compliance with CIS benchmarks.

• Security metrics that offer enterprise IT and security teams insight into their own security process outcomes.

SCORE

SCORE is a cooperative effort between SANS/GIAC and the Center for Internet Security (CIS). SCORE (www.sans.org/score/) is a community of security professionals from a wide range of organizations and backgrounds who work to develop consensus regarding minimum standards and best-practice information. It essentially acts as CIS’s research engine. After consensus is reached and best practice recommendations are validated, CIS can formalize them as best practice and minimum standards benchmarks for general use by industry at large.

SCORE objectives are as follows:

• Promote, develop, and publish security checklists.

• Build these checklists via consensus and through open discussion via SCORE mailing lists.

• Use existing references, recruit GIAC-certified professionals, and enlist subject matter experts where and whenever possible.

Internet Storm Center

Internet Storm Center (http://isc.sans.org/) defines itself as a center that gathers more than 3,000,000 intrusion detection log entries every day. It is rapidly expanding in a quest to do a better job of finding new storms faster, isolating the sites that are used for attacks, and providing authoritative data on the types of attacks that are being mounted against computers in various industries and regions around the globe. Internet Storm Center is a free service to the Internet community. The SANS institute supports the work with tuition paid by students attending SANS security education programs.

National Vulnerability Database

The National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD (http://nvd.nist.gov/) includes databases of security checklists, security-related software flaws, misconfigurations, product names, and impact metrics.

Security Focus

Since its inception in 1999, SecurityFocus has been a mainstay in the security community. From original news content to detailed technical papers and guest columnists, it strived to be the community’s source for all things security-related. SecurityFocus was formed with the idea that community needed a place to come together and share its collected wisdom and knowledge. At SecurityFocus, the community has always been the primary focus. The SecurityFocus website now focuses on a few key areas of greatest importance to the security community:

• BugTraq is a high-volume, full-disclosure mailing list for the detailed discussion and announcement of computer security vulnerabilities. BugTraq serves as the cornerstone of the Internet-wide security community.

• The SecurityFocus Vulnerability Database provides security professionals with the most up-to-date information on vulnerabilities for all platforms and services.

• SecurityFocus Mailing Lists enable members of the security community from around the world to discuss all manner of security issues. There are currently 31 mailing lists; most are moderated to keep posts on-topic and to eliminate spam.

Learning from the Network Security Organizations

These organizations did not always exist, but the increase in threats across the Internet from attackers of all types has supported their birth and growth. You should explore each website because there is a wealth of information that takes you beyond what is presented here. The following section reviews some of the ways vulnerabilities and exploits are used in attacks.

One of the useful things that manufacturers are doing these days is setting methods for users and white-hat hackers (good guys) to report security issues with their products. For example, Cisco has provided this information to you online:

Cisco Security Advisories & Notices: www.cisco.com/en/US/products/products_security_advisories_listing.html (PSIRT)

Cisco Security Intelligence Operations: http://tools.cisco.com/security/center/

Cisco produces a report on cyber risks every few months and can be found on the preceding website—it is worth looking at.