Click here to receive your FREE subscription to Campus Technology
Focus
Feeling Vulnerable?
12/29/2005
When it comes to vulnerability scanners, know your tools, and clarify your goals—or be sorry later.
“You can be sure of succeeding in your attacks if you only attack places which are undefended. You can ensure the safety of your defense if you only hold positions that cannot be attacked.” —Sun Tzu, The Art of War
As a University of Nebraska Cornhusker football fan, I have always looked forward to the spring game that pits the team’s best offensive unit against the best defensive unit. For network security folks, vulnerability scanning is our version of that spring game. With it, we can attack our own network to find the weaknesses in our defenses. Then we can fix them before we play with a real-world opponent.
Which Strategy?
Vulnerability scanners are one part of a broader set of tools that follow one of two broad strategies. The strategy used by vulnerability scanners is to periodically run computer programs that look for weaknesses in your network and attached systems by comparing a database of known vulnerabilities against data about your systems. Another strategy is to monitor your network and attached systems in real time, looking for anomalies that indicate the presence of an intruder. That strategy is really dealing with threats, not vulnerabilities. Yet, each strategy has its advantages and disadvantages and, in practice, both are needed. While the focus here is the first strategy, vulnerability scanning, the trend is to integrate both strategies into a single tool suite.
Are the Bad Guys Winning?
EUGENE
SPAFFORD, professor and executive director, Center
for Education and Research in Information Assurance and Security (CERIAS)
at Purdue University (IN), and a former member of the President's
Information Technology Advisory Committee (PITAC), is one of the world's
leading authorities on cyber security--and he's concerned about the future.
He feels that today's cyber security strategies are retroactive, and that
the number of vulnerabilities makes it increasingly difficult, even ultimately
impossible, to keep pace. He points to the fact that the Computer
Emergency Response Team Coordination Center (CERT) at Carnegie
Mellon University (PA) reports that 3,780 new electronic vulnerabilities
were published in 2004—that's more than 10 a day, and a 20- fold increase
since 1995. Spafford recently testified before the House Science Committee;
“The software and hardware being deployed today have been designed by individuals with little or no security training, using unsafe methods, and then poorly tested. This is being added to the fault-ridden infrastructure already in place and operated by personnel with insufficient awareness of the risks. Therefore, none of us should be surprised if we continue to see a rise in break-ins, defacements, and viruses in the years to come.”
The solution, according to Spafford, is simpler, more robust, and better-crafted systems. Unfortunately, a hardware/software vendor's revenue stream depends upon the regular issuance of new and more powerful hardware required to run new and/or updated software jam-packed with new, and largely unused, “features,” resulting in a downward spiral of increasingly complex and vulnerable systems. The market d'esn't reward simple, stable, well-architected hardware or software. Equally unfortunate, both private and government research is almost entirely focused on short-term patching rather than the longterm development of new, inherently secure computer architectures.
Spafford sees three outcomes to the current trend. In the first, the market realizes the cost of tacking security onto systems as an afterthought, and demands and compensates vendors for simpler, more secure systems. This will probably require a new revenue-generation model.The second outcome is that we limit our use of information technology to avoid security-related problems. The third outcome is that we continue on our merry way until the system implodes.
How serious is the problem? I encourage you to read Cyber Security: A Crisis of Prioritization, Report of the President's Information Technology Advisory Committee, 2005,which is available at www.nitrd.gov/pitac/ reports/20050301_cybersecurity/cybersecurity.pdf.?
Recommended Reading
- Digital Arts Alliance Adds Fordham U
The Digital Arts Alliance, a consortium led by the Pearson Foundation that promotes digital arts in K-12 education, is expanding its membership with the addition of Fordham University. This follows on the heels of three other organizations joining the group back in July--the National Education Association (NEA) Foundation, the Foundation for Investor Education, and Employers For Education Excellence (E3).
- Payment Card Security Toughens with DSS 1.2 Release
Opinions are mixed on what the new Payment Card Industry (PCI) DSS 1.2 standard will mean for security pros going forward. However, the mandate is clear: protect data.
- 6 Universities Join NASA Astrobiology Institute
Research teams from six universities have been selected by NASA to become members of its Astrobiology Institute with the aim of exploring the "origins, evolution, distribution, and future of life in the universe." Teams were each awarded five-year grants, averaging $7 million each, according to NASA.
- Amazon To Host Microsoft Solutions in the Cloud
Amazon announced Wednesday that it is conducting a private beta test of Microsoft's server products running on Amazon's hosted computing platform, which is called Amazon Elastic Compute Cloud (EC2). Amazon expects to offer companies the ability to run their applications on EC2 using Microsoft Windows Server or Microsoft SQL Server sometime in the fall, according to an announcement issued by the company.
- CRM Pushing into New Areas of Higher Ed
Implementing a customer relationship management (CRM) solution can require "difficult or even painful behavioral challenges" for administrators in higher education, according to Nicole Engelbert, a lead analyst with research and analysis firm Datamonitor. "It means re-orienting yourself to your students. That can be tough, so you need to be ready for that."
- Integrated Collaborative Environment Leverages Web 2.0
Here's a bit of trivia for your next high-tech happy hour: A "nog" (in addition to being a Christmas favorite) is a wooden block built into a masonry wall so that joinery structure can be nailed to it. For the founders of Piscataway, N.J.-based startup Bluenog this obscure bit of carpentry nomenclature was the perfect metaphor for an integrated software suite that includes a content management system (CMS), rich portal features and business intelligence (BI) capabilities.
