The Weakest Link Revisited

Attack Trends Editors: Iván Arce, [email protected] Elias Levy, [email protected] The Weakest Link Revisited

lem is the information access t is a common saying that a chain is only as strong as its controls in the operating system and supporting hardware.”5 weakest link—a phrase information security officers, IT Successful exploitation of a main- managers, consultants, researchers, journalists, and opin- frame assumed a both technically and financially resourceful attacker ion makers reiterate ad nauseam when referring to an or- who could access the computing fa- I cilities and had extensive knowledge ganization’s information security posture. Most in the information of operating system internals and the technical expertise to develop complex attacks. The military, govern- IVAN´ ARCE security community would agree tial research efforts in secure oper- ment, and large educational and re- Core Security that a security architecture is only as ating systems design and security search organizations of the ’60s and Technologies strong as its weakest link. However, mechanisms subversion,1,2 results ’70s, as main users of mainframes they usually cannot agree on what of penetration-testing exercises,3,4 and timesharing systems, could eas- that is, and no expert risks making a and the emergence of security- ily associate the attackers’ profile to definite statement about it. oriented subsystems such as IBM’s their IT infrastructure. In this way, We can argue that a security Resource Access Control Facility they could focus their effort in pre- strategy’s weakest component will and Computer Associates’ ACF-2 venting security breaches from de- vary from one organization to an- and Top Secret (software packages termined intruders with access to other but perhaps we should com- that manage and enforce access the operating system either as legiti- pare past perceptions of what a control restrictions to mainframe mate users or through procedural weakest link is to what it could well resources) indicate that the pri- flaws in the operating system devel- be in the near future. mary security concern was internal opment and deployment process. operating system security. There- The weakest fore, the weakest link could be de- The personal computer link timeline fined as flaws in an operating sys- During the ’80s, extensive deploy- A retrospective look at informa- tem’s security controls or as ment of PCs in companies and tion technologies, information se- procedural weaknesses in its devel- households not only revolutionized curity trends, and threat models opment and deployment process. the work and leisure time of a new provides a few good guesses as to As Roger Schell, Peter Downey, range of computer users, but also what the weakest links were in pre- and Gerald Popek outline in Pre- presented a new security problem: vious decades. liminary Notes on the Design of Secure the computer virus. Military Computer Systems: While mainframes and Unix sys- The mainframe tems continued to present challenges The mainframe and early time- “Most contemporary shared related to the traditional ’70s ap- sharing systems of the 1960s and computer systems are not se- proach to operating systems’ secu- 1970s had stringent mechanisms to cure because security was not a rity, the growing number of PCs enforce security at the operating mandatory requirement of the were completely open to a new form system level. When coupled with initial hardware and software of attack because of the lack of secu- physical access controls and secu- design. The military has rea- rity controls in hardware and soft- rity clearance requirements, these sonably effective physical, ware. The computer virus6 threat mechanisms presented a substantial communication, and person- became the springboard for a multi- barrier to opportunistic attackers nel security, so that the nub of billion-dollar industry—Network or internal attack threats. Substan- our computer security prob- Associates and Symantec entered the

information security market as antivirus companies—and the princi- pal security concern of any PC user. Researchers considered the computer virus a minor threat because it only affected isolated computers with limited spreading capabilities due to the spread mechanism’s low bandwidth and, in general, they deemed virus infection to be an im- plausible method for directly attack- ing specific targets. However, with the introduction of hard-disk technology in the early ’80s and the usage of floppy disks to transfer information between computers, the virus threat became more evident and incidents multi- plied rapidly. A virus could infect files stored in the hard disk, make itself a persistent problem, and spread through files exchanged in floppy disks between otherwise isolated PCs. By the end of the ’80s and into the early ’90s, researchers identified the desktop computer and its susceptibility to computer 7,8

viruses as the weakest link, and ILLUSTRATION BY ROBERT STACK extensively documented and ana- lyzed numerous accounts of newly discovered viruses and virus infection incidents.9 friends (internal, controlled net- In short, by the end of the works) from foes (all others on the decade, the weakest link became a The networked outside) and effectively “sealed” moving target. While still strug- organization the perimeter, the newly identified gling to secure the perimeter and In the 1990s, the security commu- weakest link. server systems with solutions such as nity focused its attention on net- Extensive study of the security of firewalls, cryptographically strong work security. The interconnect- networking protocols and infra- authentication systems, network ing of multiple networks via a set of structure components identified and host-based intrusion detection Internet protocol standards and the new security problems such as secu- systems, VPN devices, and cryp- sudden realization that research, rity design flaws in the Internet pro- tography additions to networking academic, and government and tocols, weak user authentication sys- protocols, organizations then faced military organizations’ networks tems, and buffer overflow conditions a new threat—a blurring perimeter (which until then were somewhat in the most common publicly acces- that made it almost impossible to isolated from untrusted users) were sible network services and proposed differentiate friends from foes and open to attack demanded addi- new solutions. Meanwhile, the use internal users from external attack- tional measures beyond traditional of LANs to connect PCs (which ers and vice versa. operating system security. Servers, were previously isolated) to internal The community’s immediate re- not workstations, were the crown corporate networks (which were action to the threat called for in- jewels to protect, but efficient con- protected only at the perimeter), creased attention to server security, trol of interconnected servers was highlighted a problem that became operating system controls, patch ma- not enough to prevent external at- evident by the mid ’90s with the full nagement, and additional peri-meter tackers from breaching security. adoption of the World Wide Web defenses, not only to protect the orga- The firewall emerged as the de and the Internet as a means to con- nization from external attacks but also facto security device that separated duct daily business. to detect and react to incidents.

http://computer.org/security/ IEEE SECURITY & PRIVACY 73 Attack Trends

The weakest digital media players, and a wide Several indicators point to the workstation: range of software packages that in- workstation being the new weak- A new beginning? teract directly or indirectly with in- est link. Information security—both as a ternal networks and the Internet practical discipline and as an acade- are an information security offi- The human factor mic field—has steadily increased in cers’ nightmares. To effectively An organization’s IT assets are ulti- mately managed and operated by humans, and an IT asset’s manage- Desktop operating systems and the ment and operational roles typically are not assigned to the same indi- vidual. Generally, those who have individuals operating them become the the most security training in the organization manage and operate se- most obvious vulnerable avenues of curity infrastructure components. IT staff with various degrees of expertise manage and operate internal attack for internal and external threats. and publicly accessible servers as well as mission-critical applications, complexity since the 1950s. A wider mitigate risk, the security officer and are tasked to maintain and en- range of problems must now be con- now must to identify vulnerabilities force an organization’s information sidered to devise effective security and assess their impact in a large set security policy. architectures for today’s organiza- of software packages from multiple At the end of the line comes man- tions. Security solutions should ac- vendors ranging from small to large aging workstations and workstation count for our IT infrastructure’s software companies, in-house de- security. Although this responsibility technological challenges and the velopment teams, and third-party hopefully falls with IT staff, usually it particular aspects of human and or- integrators with various degrees of falls to end users—perhaps the least ganizational behavior. It is in this maturity in their development trained, experienced, or security- context that we can identify our cur- process, technical support infra- aware individuals in an organization. rent weakest link: the workstation. structure, and response time to pro- Therefore, desktop operating sys- Efforts to implement and moni- vide security fixes. To make things tems and the individuals operating tor workstation security during the even worse, the security officer them become the most obvious vul- 1990s are negligible compared to often does not directly control the nerable avenues of attack for internal the immense resource allocation at- deployment of these packages or and external threats. tempting to protect internal and ex- the operation of workstations. ternal servers, network devices, and Additionally, the complex task of The new the network perimeter today. Once managing security patches and secu- vulnerability indicator the community dealt with the virus rity policies across thousands of During the past decade, the number threat in the 1980s (unsuccessfully, workstations (possibly with different of newly discovered vulnerabilities we might add), interest in worksta- configurations) as opposed to hun- has steadily increased; of these, a tion security evaporated when dreds of servers with standardized growing proportion are no longer re- desktop operating systems began configurations introduces severe lated to server software. The growing incorporating basic security mech- scalability considerations that com- number of software packages that end anisms that made them suitable to panies must account for to achieve a users employ at workstations to con- operate in a networked environ- minimally successful information se- duct everyday business has attracted ment, such as centralized user au- curity strategy. the attention of vulnerability re- thentication and access control fa- Perhaps it is evident that the searchers—who, from a security per- cilities. But by 2000, new ways of workstation is the most vulnerable spective, feel that the packages are conducting business and new tech- component in a threat model fo- poorly developed. The two most nologies had directly affected activ- cused on protecting an organization popular Web browsers alone have had ities performed at the workstation; from inside attacks, but proposing it a combined total of 152 security vul- subsequently, a dormant set of secu- as the security architecture’s weakest nerabilities since 1999 (see the Com- rity issues surfaced. link and presenting it as the new tar- mon Vulnerabilities and Exposures Extensive Web browser usage, get in attack trends for the future re- dictionary at www.cve.mitre.org). instant messaging, email client soft- quires demonstration that external Recent discoveries in software com- ware, peer-to-peer networking, attackers also view it as such. ponents used for image process-

74 IEEE SECURITY & PRIVACY MARCH/APRIL 2003 Attack Trends

ing,10,11 file compression,12,13 digital Use the front door, and patch management systems media playback,14 and file, email, and not the back door might provide additional support to network encryption15 provide addi- The term “backdoor” is used to accept our hypothesis that the tional clues about the increasing im- refer to a hole in a security system workstation is the weakest link. But portance of security at workstations. deliberately left in place by the de- if we choose to do so, we must signers or maintainers (www.jar- come to grips with reality: humans The exploit gon.8hz.com/jargon_17.html# operate and control workstations, research indicator SEC24). The concept of using the and no technological gadget alone From a motivated attacker’s view- legitimate (but rarely used by out- will strengthen the weakest link if point, a successful attack on an orga- siders) network access points to gain human and organizational behav- nization involves compromising spe- control of an organization’s most iors are not factored into a compre- cific systems or otherwise achieving valuable assets (the “front door” as hensive security strategy. specific goals, such as obtaining con- opposed to an obscure “back door”) If we accept the workstation as fidential information or shutting was brought to my attention by the new weakest link, we can con- down mission-critical servers. To coworkers Luciano Notarfrancesco clude that from a technology view- perform directed attacks successfully, and Gerardo Richarte. point, an information security strat- the attacker must overcome perime- The workstation is naturally egy can only succeed if it ter security mechanisms and server both the outlet for an organization’s incorporates workstations and their and application security controls most sensitive information and the users into an overall picture that with a set of tools. The most impor- most legitimate network compo- today is dominated by network and tant of these tools—exploit pro- nent to access its IT assets. This server security paradigms. grams—execute a known vulnera- makes the workstation the most ob- bility condition and let the attacker vious point of attack for a deter- References subvert the exploited platform’s se- mined attacker, provided that he or 1. P.A. Myers, Subversion: The Neglec- curity assumptions. Using highly re- she can gather intelligence on ted Aspect of Computer Security, mas- liable exploit programs is a key re- workstation technology and con- ter’s thesis, Naval Postgraduate quirement for a determined attacker; figuration and users’ usage patterns School, Monterey, Calif., 1980. therefore the small community of and procedures. 2. K. Thompson, “Reflections on professional penetration testers and The most sensitive components Trusting Trust,” Comm. ACM, vol. ethical or unethical hackers put great of any organization’s security infra- 27, no. 8, 1984, pp. 761–763. effort into devising new exploitation structure are the CEO’s, CFO’s, or 3. S.M. Goheen and R.S. Fiske, techniques and methodologies. even the Chief Security Officer’s or OS/360 Computer Security Penetra- In the past few years, most of the network administrator’s workstation Exercise, white paper WP-4467, published work on exploit research tions because they provide a direct MITRE, Bedford, Mass., 01730, and development has revealed a high path to controlling the organization 1972. degree of sophistication in exploit and its assets. From this perspective, 4. P.A. Karger and R.R. Schell, Mul- programs and the use of techniques we can easily imagine workstation tics Security Evaluation: Vulnerability that closely resemble those of the users as the target of hackers’ intelli- Analysis, tech. report ESD-TR-74- virus writers and researchers in the gence-gathering attacks that at- 193, vol. 2, Hanscom Air Force early ’80s. Reliable exploit code has tempt to determine login times, Base, Mass., 01731, 1974. become harder to develop,16 which email and Internet browsing habits, 5. R.R. Schell, P.J. Downey, and G.J. forces researchers to better under- personal and professional interests, Popek, Preliminary Notes on the stand operating systems’ internals and any other detailed information Design of Secure Military Computer and application-layer security, as op- that will help them compromise the Systems, MCI-73-1, MITRE, Bed- posed to just focusing on network user’s workstation and use it as an ford, Mass., 01730, 1973. security. The mixed requirement of entry point to gain access to the in- 6. F. Cohen, “Computer Viruses, an in-depth technical understanding ternal network. Theory and Experiments,” Com- combined with attackers who are ac- puters & Security, vol. 6, no. 1, 1987, customed to targeted attacks (as pp. 22–35. compared to the generally undi- he increasing interest in work- 7. J.O. Kephart and S.R. White, How rected attacks in the virus threat T station security solutions such Prevalent Are Computer Viruses?, model of the ’80s) outlines require- as personal firewalls, host-based in- IBM T.J. Watson Research Center, ments for a new breed of exploit trusion detection and prevention 1992; www.research.ibm.com/ programs targeted at workstation systems, workstation access control antivirus/SciPapers/Kephart/DPM operating systems. software, file integrity checkers, A92/dpma92.html.

http://computer.org/security/ IEEE SECURITY & PRIVACY 75 Attack Trends

8. S.R. White, J.O. Kephart, and D.M. Chess, “Computer Viruses: Recruiting for IEEE Security & Privacy A Global Perspective,” Proc. 5th Virus Bulletin Int’l Conf. (VB 95), Magazine Conference Reporters Virus Bulletin Ltd., Abingdon, England, 1995; www.research.ibm. com/antivirus/SciPapers/White/ VB95/vb95.distrib.html. 9. T. Polk, and L. Bassham, Guide to the Selection of Anti-Virus Tools and Techniques, tech. report 800-5, Nat’l Inst. of Standards and Tech., Gaithersburg, Md., 20899, 1992. 10. Security Focus Online, “LibPNG Incorrect Offset Calculation Buffer Overflow Vulnerability,” http://online.securityfocus.com/ bid/6431. 11. Security Focus Online, “Multiple Browser Zero Width GIF Image Memory Corruption Vulnerabil- ity,” http://online.securityfocus. ith so many security and privacy conferences these days, who can keep up with them all? com/bid/5665. W 12. Security Focus Online, “WinZip IEEE Security & Privacymagazine would like to help its readers by providing concise, informative summaries of significant events at con- Tar Hostile Destination Path Vul- ferences and workshops. You can help by volunteering to provide summaries of important papers, discussions, and events from the nerability,” http://online.security meetings you attend. Here are some guidelines, if you or someone you know is interested. focus.com/bid/6418. 13. Security Focus Online, “WinZip • You are writing for the readers of a magazine. Think of yourself as a member of the audience—if you couldn’t File Encryption Scheme Limited attend the meeting, what would you like to know about it from a friend who was there? Put the most important Key Space Vulnerability,” www. things first and be brief. Write in the active voice. securityfocus.com/bid/6805. 14. Security Focus Online, “mpg123 • Most readers are interested in significant technical advances. For most of the meetings IEEE Invalid MP3 Header Memory Cor- Security & Privacy will cover, however, it isn’t necessary to cover those details in depth because the IEEE Computer So- ruption Vulnerability,” http:// ciety usually publishes a proceedings containing all the technical papers,. The questions asked after a paper and un- online.securityfocus.com/bid/6593. minuted panel discussions usually deserve more space than a rehearsal of the papers’ abstracts. It is helpful to note 15. Security Focus Online, “PGP Desk- what caught the audience’s interest (or what didn’t, if that’s significant). top Filename Buffer Overflow Vul- nerability,” http://online.security • It’s helpful to let readers know how to acquire a copy of the proceedings—try to provide a reference; pointers to focus.com/bid/5656. Web pages are good, if available. 16. G. Richarte and I. Arce, “Lessons Learned Writing Exploits,” Proc. • Details of the meeting outside the technical sessions can liven up the story. We aren’t looking for gossip, but who won CanSecWest Security Conf. 02, www. the croquet tournament could be of interest. Was the attendance up or down from last year? What are the plans for next corest.com/common/showdoc.php? year—dates, location, points of contact? idx=226&idxseccion=13 &idx- menu=35. • It takes some work, but it can be rewarding to you as well as to readers. Reporting on a meeting as a whole forces you to look at it with a somewhat broader perspective than if you were just listening for the points that directly affect your Iván Arce is chief technology officer and own research. cofounder of Core Security Technologies, an information security company based in Boston. Previously, he worked as vice • Try to get your copy in as soon as possible. “News” ceases to be new when it gets old. I will edit your report and get it back president of research and development to you for approval if there are any significant changes or additions. for a computer telephony integration company and as information security consultant and software developer for • Thank you! Without contributions like yours, IEEE Security & Privacy could not continue. various government agencies and finan- cial and telecommunications companies. Contact him at [email protected].

76 IEEE SECURITY & PRIVACY MARCH/APRIL 2003