- Not Anymore, Continued
- Threats
- Known Vulnerabilities and Known Exploits
- Targeted Threats
- Critical Systems and Threats
- Countermeasures
- Regulatory Issues
- Technology
- A Word About the Long Term: IPv6
- The Organizational Security Posture
- What Parts of Constant Vigilance Should I Outsource?
- What to Keep
- Who to Seek
- You Have Just Charted a Course: Let's Set Sail
This chapter is from the book
This chapter is from the book
This chapter is from the book
Known Vulnerabilities and Known Exploits
If you knew that your company's warehouse door was often left unguarded for three minutes during a daily shift change, would you do something about it? A better lock? Change the shift schedule? Maybe add a video camera at the door? Perhaps. Or you might think, "It is only three minutes, and cameras are expensive"—no one will know that you are supremely vulnerable for those 180 seconds. Then, after the inevitable happens, and you have lost your property, you would overspend to make sure that the specific door would never be compromised again. That is the real world.
When you factor in the Internet, the question begins to look even more ridiculous to the uninitiated. I'm talking gaps of milliseconds on one open, internal password-protected port among thousands. Yet to a hacker, these types of commonplace vulnerabilities represent more than a three-minute open gate, and hackers capitalize on them every minute of every day, in every country in the world. Even though crime fighting is growing—among EU member nations, groups such as the UK's National High Tech Crime Unit sniff out and investigate cybercrime—hacking is still a favored pastime for the 12- to 20-year-old set.
Known vulnerabilities are weaknesses inherent within existing technology of all types. Exploits are hacker attacks on those known vulnerabilities.1 Keeping tabs on what vulnerabilities exist in your hardware and software and discovering what new (or previously undiscovered) ones apply in both legacy and upgraded systems is absolutely vital to the ongoing security of your company. Keeping up with these threats is paramount.
As your global security team prepares for new hazards, it should also master the technology hardware and software you run, knowing what its strengths and weaknesses are. All team members should have a card by their desk that literally lists this exhaustive roster so that it is easily referenced when threats are antici-pated and dispatched.
One of the best, least-expensive ways to maintain constant vigilance on threats is by joining your country's Computer Emergency Response Team (CERT). CERTs were born in the aftermath of the world's first virus—the Morris worm—which infected fewer than 100 computers worldwide, when it was found that the world's collective of Web administrators knew only e-mail addresses. (What was needed was a list of phone numbers. With no computers working, they had no way to contact each other!) Its founders understood the long-term ramifications of threats and developed the very first CERT on Carnegie-Mellon University's campus in Pittsburgh. These individuals knew that a clearinghouse of confidential, yet available contact information must be readied and shared for the next-generation Web.
CERT Alerts Require Translation
Always translate CERT alerts for your CxO of choice. Tell me, how could they understand it if you quickly IM them this recent CERT high alert?
A Cross-Site Scripting vulnerability exists in the 'index.php' script in both the 'admincp' and 'modcp' application directories due to insufficient sanitization, which could let a remote malicious user execute arbitrary HTML and script code.
The original CERT was a simple phone tree, and it evolved into the safe place to report threats, bugs, break-ins, and thefts so that information could be analyzed and redirected. CERTs have since grown, country by country, into independently run, cosmopolitan organizations. If you do business in Singapore, you would access SingCERT through the country's Information Development Authority (http://www.ida.gov.sg). Thailand runs a ThaiCERT, and Malaysia boasts a MyCert. You get the idea. If you are a legal, certified business, it is generally free to subscribe. CERT will help you put your own process in place for vetting exploits by delivering ongoing alerts and offering insight on how to create a threat-readiness posture.
CERTS are so successful, an international umbrella organization was created called FIRST (http://www.first.org). FIRST stands for the Forum of Incident Response and Security Teams, and it coalesces security-incident response teams that work in government, commercial, and academic organizations throughout the world. It "aims to foster cooperation and coordination in incident prevention to prompt rapid reaction to incidents and to promote information sharing among members and the community at large."
One indicator that new information-sharing links with federal governments are strategically important to top corporate executives can be found in the 13 Information Sharing and Analysis Centers (ISACs)—one for virtually every key vertical sector of private critical infrastructure. The companies participating in these ISACs constitute a who's who in their corporate world. For example, those looking for the Information Technology ISAC will find it at http://www.IT-ISAC.org. ISAC's are built around trust. It started with the financial services industry, and most major industries in major countries followed suit. You must be invited to join by another, trusted ISAC member. There are almost no vendor members—just security personnel who are trying to do their job well.