The following is the second excerpt from my Norwich MSIA Seminar 4 final paper, in which I speculate on how IA will evolve.
I would love to hear what you think, so leave a comment and let me know how you think things will turn out.
Vulnerability Assessment and Intrusion Detection
Vulnerability assessment systems (VAS) are capable of automatically scanning for and reporting on vulnerabilities in computer operating systems and software. VAS does not run continually, but can be automated to run on a pre-defined schedule. Some commercially available VAS are capable of detecting vulnerabilities in software such as SQL injections and XSS.
The current VAS capabilities are limited to known vulnerabilities. While some may view this as a severe limitation, the Heartland breach and several others are proof that the industry has a long way to go before it finishes addressing known vulnerabilities.
Intrusion Detection Systems (IDS) use known signatures to detect intrusions, and algorithms to detect abnormal traffic. Unlike VAS, the IDS runs continually and it alerts on violations. IDS can also be used to verify the quality and effectiveness of the firewall rules. Too often an administrator believes they configured a firewall rule correctly only to find out the hard way that they made a mistake. With an IDS in place, it can be used to alert on those types of errors and minimize the time the system is exposed.
Analogous to IDS is egress filtering. Many network administrators are very careful about the traffic sources into their networks but not about the traffic destination of traffic leaving their network. This is one reason malware and botnets are so successful, as they were in the Heartland breach.
Here is a brief summary of the benefits of VAS and IDS (True “Vulnerability Assessment and Intrusion Detection” 4):
• Periodic vulnerability assessments are required for PCI compliance (requirement 11.2)
• VAS and IDS help meet auditing requirements
• VAS reports vulnerabilities, and remediation reduces risk
• VAS can be used as a pre-deployment QA check
• IDS alerts in real-time when it detects a violation
• IDS helps with forensic evidence in the case of a computer crime (Kabay 2)
As we are beginning to see from the Heartland breach, there were steps that Heartland could have and probably should have taken that would have made it more difficult for the criminals to steal millions of credit card numbers. If they had properly installed, configured and managed VAS, IDS and software testing systems, they might have been alerted to the criminals’ activity before they could do damage. For example, if they had installed IDS and egress filtering between the sensitive cardholder subnetwork and the less secure, less sensitive subnetwork, they might have noticed the unauthorized activity.
Software Vulnerability Assessment
Another form of vulnerability assessment that is useful is web application testing as outlined in the Open Web Application Security Project (OWASP) testing framework. Today’s computer criminals are bypassing the network and attacking businesses through the application layer; this is the vector the Heartland attackers used.
The OWASP testing framework suggests incorporating testing throughout the software development lifecycle (SDLC), including penetration testing to be conducted during the deployment phase.
The Future of VAS and IDS
VAS, IDS, software and penetration testing are important forms of quality assurance, and are not likely to go away any time soon. In fact, their importance will increase as will the number of companies incorporating them into their networks. It is impossible to prevent every intrusion, so future systems will have to be able to dynamically respond to breaches. For example, the IDS could detect an intrusion and update the firewall rules to isolate the offending traffic.
Software development and testing will have to mature if the industry is going to meet its security challenges. Colleges and universities will have to teach secure programming, companies will have to train their developers and programmers how to write secure code, and security companies will create products to meet the demand for software VAS and penetration testing tools. Customers will want some indication that the websites they visit are free from common vulnerabilities such as XSS and click jacking.
It will be extremely difficult for companies to claim ignorance once the lessons of this breach are shared with the industry. Future CEOs who attempt use the same excuses as Mr. Carr are in danger of finding themselves in court on charges of negligence. Regardless of any criminal or civil action that may or may not take place, they will certainly lose customer trust, market share and revenue.
Next time: Security Policies and Laws
Bibliography
“PCI Quick Reference Guide”. PCI Security Standards Council. 6/13/09 <https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf>.
Kabay, M.E. (2005). Managing VAS & IDS.
True, Becki. (2009). Vulnerability Assessment and Intrusion Detection.
Subscribe (free) via RSS
LinkedIn
email
