The Laws of Vulnerabilities The Laws of Vulnerabilities Terry Ramos Terry Ramos Qualys Qualys 02/15/06 - HT1-202 02/15/06 - HT1-202
Are We Getting Better or Worse ? What is a vulnerability? How significant is this vulnerability? How prevalent is this vulnerability? How easy is this vulnerability to exploit? Are any of my systems affected by this vulnerability? How quickly should I patch this vulnerability?
Security Trend Indicators • Malicious Code ( ↑ ) • Vulnerabilities ( ↑ ) • Spam and Spyware ( ↑ ) • Phishing and Identity Theft ( ↑ ) ….and • Time to Exploitation ( ↓ )
First Generation Threats • Spreading mostly via email, file-sharing • Human Action Required • Virus-type spreading / No vulnerabilities • Examples: Melissa Macro Virus, LoveLetter VBScript Worm • Replicates to other recipients • Discovery/Removal: Antivirus
Second Generation Threats • Active worms • Leveraging known vulnerabilities • Low level of sophistication in spreading strategy (i.e. randomly) • Non Destructive Payloads • Remedy: Identify and Fix Vulnerabilities
Third Generation Threats • Automated Attacks Leveraging Known and Unknown Vulnerabilities • Collaboration of Social Engineering and Automated Attacks • Multiple Attack Vectors — Email, Web, IM, Vulnerabilities,… • Active Payloads • Remedy: Security Enforcement / NAC / NAM
The Laws of Vulnerabilities: Studying Vulnerabilities and Patching • Objective: Understanding prevalence of critical vulnerabilities over time in real world • Timeframe: 2002 - Ongoing • Data Source: — 70% Global Enterprise networks — 30 % Random trials • Methodology: Automatic Data collection with statistical data only – no possible correlation to individual user or systems • Scanning: Agentless/Remote
Analyzing 32,000,000 Vulnerability Scans Millions 8 Zotob 7 Worm Internal/Intranet Scans 6 External/Perimeter Scans 5 4 Sasser 3 Worm 2 Witty Worm Blaster Slammer 1 Worm Worm 0 Q402 Q103 Q203 Q303 Q403 Q104 Q204 Q304 Q404 Q105 Q205 Q305
Raw Results • Largest collection of global real-world vulnerability data: — 32,147,000 IP-Scans from Q3/2002 to Q3/2005 — 21,347,000 critical vulnerabilities identified • Scope of Vulnerabilities included — 1,060 out of 1,556 unique critical* vulnerabilities * Providing an attacker the ability to gain full control of the system, and/or leakage of highly sensitive information. For example, vulnerabilities may enable full read and/or write access to files, remote execution of commands, and the presence of backdoors.
The Changing Vulnerability Landscape • From server to client applications • Before: Vulnerabilities in server applications: — Webserver, Mailserver, Operating System services, • Now: More than 60% of new critical vulnerabilities in client applications: — Web Browser, Backup Software, Media Player, Antivirus Software, Flash, …
Microsoft WebDAV Vulnerability 120% 100% Microsoft Windows 2000 Microsoft Windows 2000 WebDAV Buffer Overflow IIS WebDAV Buffer IIS WebDAV Buffer Overflow Vulnerability 80% Overflow Vulnerability CAN-2003-0109 CAN-2003-0109 60% Qualys ID 86479 Qualys ID 86479 Released: March 2003 40% Released: March 2003 20% 0% 10/5/2002 12/5/2002 2/5/2003 4/5/2003 6/5/2003 8/5/2003 10/5/2003 12/5/2003 2/5/2004 4/5/2004 6/5/2004 8/5/2004 10/5/2004 12/5/2004 2/5/2005 4/5/2005 6/5/2005 8/5/2005
Buffer Overflow in Microsoft Local Security Authority Subsystem Service (LSASS) 120% Buffer overflow in Microsoft 100% Buffer overflow in Microsoft Microsoft LSASS Local Security Authority Local Security Authority Subsystem Service Subsystem Service (LSASS) 80% (LSASS) CAN-2003-0533 60% CAN-2003-0533 Qualys ID 90108 Qualys ID 90108 40% Released: April 2004 Released: April 2004 20% 0% 10/5/2002 12/5/2002 2/5/2003 4/5/2003 6/5/2003 8/5/2003 10/5/2003 12/5/2003 2/5/2004 4/5/2004 6/5/2004 8/5/2004 10/5/2004 12/5/2004 2/5/2005 4/5/2005 6/5/2005 8/5/2005
Vulnerability Half-Life 100% For a critical vulnerability For a critical vulnerability every 19 days the number every 19 days the number 75% of vulnerable systems of vulnerable systems is reduced by 50% on external systems is reduced by 50% on external systems 50% 25% 19 days 38 days 57 days 76 days 95 days 114 days
Microsoft Exchange Server Buffer Overflow Vulnerability 120.00% 100.00% Exchange Server Buffer Overflow Microsoft Exchange Server Microsoft Exchange Server Buffer Overflow Vulnerability 80.00% Buffer Overflow Vulnerability 60.00% CAN-2003-0714 CAN-2003-0714 Qualys ID 74143 Qualys ID 74143 40.00% Released: October 2003 Released: October 2003 20.00% 0.00% 10/5/2002 1/5/2003 4/5/2003 7/5/2003 10/5/2003 1/5/2004 4/5/2004 7/5/2004 10/5/2004 1/5/2005 4/5/2005 7/5/2005
Adobe Acrobat Reader Format String Vulnerability 120% 100% Adobe Acrobat Reader Adobe Acrobat Reader Format String Vulnerability Format String Vulnerability 80% Adobe Acrobat Format String Vulnerability CAN-2004-1153 60% CAN-2004-1153 Qualys ID 38385 Qualys ID 38385 40% Released: December 2004 Released: December 2004 20% 0% 10/5/2002 12/5/2002 2/5/2003 4/5/2003 6/5/2003 8/5/2003 10/5/2003 12/5/2003 2/5/2004 4/5/2004 6/5/2004 8/5/2004 10/5/2004 12/5/2004 2/5/2005 4/5/2005 6/5/2005 8/5/2005
Microsoft Server Message Block Remote Execution (MS05-011) 120% Remote Code Execution 100% Remote Code Execution Vulnerability in Microsoft Vulnerability in Microsoft SMB Remote Execution Vulnerability Server Message Block Server Message Block (SMB) 80% (SMB) 60% CAN-2005-0045 CAN-2005-0045 Qualys ID 90230 Qualys ID 90230 40% Released: February 2005 Released: February 2005 20% 0% 10/5/2002 12/5/2002 2/5/2003 4/5/2003 6/5/2003 8/5/2003 10/5/2003 12/5/2003 2/5/2004 4/5/2004 6/5/2004 8/5/2004 10/5/2004 12/5/2004 2/5/2005 4/5/2005 6/5/2005 8/5/2005
External vs. Internal Half-life For a critical vulnerability every For a critical vulnerability every 19 days (48 days on internal networks) 100% 19 days (48 days on internal networks) 50 % of vulnerable systems 50 % of vulnerable systems are being fixed are being fixed 75% 50% 25% 19 days 38 days 57 days 76 days 95 days 114 days 133 days 152 days 171 days
The Changing Half-life 2003 2004 2005 2006 30 21 19 External ? days days days Half-life 62 48 Internal - ? days days Half-life
Predefined vs. Irregular Vulnerability Releases Vulnerabilities released Vulnerabilities released on a predefined known on a predefined known 120% schedule show 18% 100% schedule show 18% Predefined Release faster patch response 80% faster patch response 60% 120% 100% 40% 20% 80% 60% 0% Irregular Release 7/30/2005 8/6/2005 8/13/2005 8/20/2005 8/27/2005 9/3/2005 9/10/2005 9/17/2005 9/24/2005 10/1/2005 40% 20% 0% 7/30/2005 8/6/2005 8/13/2005 8/20/2005 8/27/2005 9/3/2005 9/10/2005 9/17/2005 9/24/2005 10/1/2005
SSL Server Allows Cleartext Communication 3500 3000 SSL Server allows Cleartext SSL Server Allows SSL Server Allows 2500 Cleartext Communication Cleartext Communication 2000 Qualys ID 38143 Qualys ID 38143 1500 1000 500 0 3/1/2003 5/1/2003 7/1/2003 9/1/2003 11/1/2003 1/1/2004 3/1/2004 5/1/2004 7/1/2004 9/1/2004 11/1/2004 1/1/2005 3/1/2005 5/1/2005 7/1/2005 9/1/2005
SQL Slammer Vulnerability 120% 100% SQL Slammer Vulnerability MS-SQL 8.0 UDP MS-SQL 8.0 UDP 80% Slammer Worm Buffer Slammer Worm Buffer Overflow Vulnerability Overflow Vulnerability 60% CAN-2002-0649 CAN-2002-0649 Qualys ID 19070 Qualys ID 19070 40% Released: July 2002 Released: July 2002 20% 0% 2/8/2003 4/8/2003 6/8/2003 8/8/2003 10/8/2003 12/8/2003 2/8/2004 4/8/2004 6/8/2004 8/8/2004 10/8/2004 12/8/2004 2/8/2005 4/8/2005 6/8/2005 8/8/2005
Lingering Vulnerabilities: SNMP Writable 100% 120% 20% 40% 60% 80% 0% 10/5/2002 1/5/2003 4/5/2003 7/5/2003 10/5/2003 1/5/2004 4/5/2004 7/5/2004 10/5/2004 SNMP Writeable 1/5/2005 4/5/2005 7/5/2005
Vulnerability Lifespan 100% 4% of critical vulnerabilities 4% of critical vulnerabilities remain persistent and remain persistent and 75% their lifespan is unlimited their lifespan is unlimited 50% 25% 19 days 38 days 57 days 76 days 95 days 114 days
Window of Exposure 100% 80% of exploits are 80% of exploits are available within the first half-life available within the first half-life 75% period of critical vulnerabilities period of critical vulnerabilities 50% 25% 19 days 38 days 57 days 76 days 95 days 114 days
A Continuous Cycle of Infection 180 160 Codered Slapper 140 Blaster 120 Nachi Automated attacks create 85% Automated attacks create 85% Sasser 100 Zotob of their damage within the of their damage within the 80 first fifteen days from outbreak first fifteen days from outbreak 60 and have unlimited life time and have unlimited life time 40 20 0 3/1/2003 5/1/2003 7/1/2003 9/1/2003 11/1/2003 1/1/2004 3/1/2004 5/1/2004 7/1/2004 9/1/2004 11/1/2004 1/1/2005 3/1/2005 5/1/2005 7/1/2005 9/1/2005
Recommend
More recommend