|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| SANS Top-20 2007 Security Risks | ||
|
SANS Top-20 2007 Security Risks
(2007 Annual Update) Client-side Vulnerabilities in: Server-side Vulnerabilities in: Application Abuse: Network Devices: Zero Day Attacks: Seven years ago, the SANS Institute and the National Infrastructure Protection Center (NIPC) at the FBI released a document summarizing the Ten Most Critical Internet Security Vulnerabilities. Thousands of organizations relied on that list, and on the expanded Top-20 lists that followed in succeeding years, to prioritize their efforts so they could close the most dangerous holes first. The threat landscape is very dynamic, which in turn makes it necessary to adopt newer security measures. Just over the last year, the kinds of vulnerabilities that are being exploited are very different from the ones being exploited in the past. Here are some observations: Operating systems have fewer vulnerabilities that can
lead to massive Internet worms. For instance, during 2002-2005, Microsoft
Windows worms like Blaster, Nachi, Sasser and Zotob infected a large number
of systems on the Internet. There have not been any new large-scale worms
targeting Windows services since 2005. On the other hand, vulnerabilities
found anti-virus, backup or other application software, can result in
worms. Most notable was the worm exploiting the Symantec anti-virus buffer
overflow flaw last year. We have seen significant growth in the number of client-side
vulnerabilities, including vulnerabilities in browsers, in office software,
in media players and in other desktop applications. These vulnerabilities
are being discovered on multiple operating systems and are being massively
exploited in the wild, often to drive recruitment for botnets. Users who are allowed by their employers to browse the
Internet have become a source of major security risk for their organizations.
A few years back securing servers and services was seen as the primary
task for securing an organization. Today it is equally important, perhaps
even more important, to prevent users having their computers compromised
via malicious web pages or other client-targeting attacks. Web application vulnerabilities in open-source as well
as custom-built applications account for almost half the total number
of vulnerabilities being discovered in the past year. These vulnerabilities
are being exploited widely to convert trusted web sites into malicious
servers serving client-side exploits and phishing scams. The default configurations for many operating systems
and services continue to be weak and continue to include default passwords.
As a result, many systems have been compromised via dictionary and brute-force
password guessing attacks in 2007! Attackers are finding more creative ways to obtain sensitive
data from organizations. Therefore, it is now critical to check the nature
of any data leaving an organization's boundary. The SANS Top 2007 list is not "cumulative." We include only critical vulnerabilities from the past year or so. If you have not patched your systems for long time, it would be wise to patch the vulnerabilities listed in the Top 20 2006 list as well as those in the prior lists. At the end of this document, you will find a short FAQ (list of frequently asked questions) that answers questions you may have about the project and the way the list is created. This year's list of top risks diverges from lists in past years that focused on very specific technical vulnerabilities that could be fixed by tweaking a configuration or applying one patch. Because attackers are moving so quickly today, such point-fixes are outdated almost immediately. For that reason, this year's list of top risks focuses more on the areas that attackers are targeting and where organizations need to enhance their security processes to ensure consistent application of technical fixes. The SANS Top 2007 is a living document. It includes step-by-step
instructions and pointers to additional information useful for correcting
the security flaws. We will update the list and the instructions as more
critical threats and more current or convenient methods of protection
are identified, and we welcome your input along the way. This is a community
consensus document -- your experience in fighting attackers and in eliminating
the vulnerabilities can help others who come after you. Please send suggestions
via e-mail to top20@sans.org Version 8.0 November 28, 2007
Microsoft Internet Explorer is the world's most popular web browser and is installed by default on every Microsoft Windows system. Unpatched or older versions of Internet Explorer contain multiple vulnerabilities that can lead to memory corruption, spoofing and execution of arbitrary scripts or code. The most critical issues are the ones that lead to remote code execution without any user interaction when a user visits a malicious web page or reads a malicious email. Exploit code for many of these critical Internet Explorer flaws is publicly available. In addition, Internet Explorer has been leveraged to exploit vulnerabilities in other core Windows components such as HTML Help and the Graphics Rendering Engine. During the past year, hundreds of vulnerabilities in ActiveX controls installed by Microsoft and other software vendors have been discovered. These are also being exploited via Internet Explorer. Mozilla Firefox is the second most popular web browser after Internet Explorer. It also has a fair share of vulnerabilities. In 2007, it has released several updates to address publicly disclosed vulnerabilities. Similarly to Internet Explorer, unpatched or older versions of Firefox contain multiple vulnerabilities that can lead to memory corruption, spoofing and execution of arbitrary scripts or code. The web sites exploiting the browser vulnerabilities typically host a several exploits, and even launch the appropriate exploit(s) based on which browser the potential victim is using. With the explosion of rich content in web sites, a parallel increase has been seen in the number of Browser Helper Object and third-party plug-ins used to access various MIME file types such as multimedia and documents. These plug-ins often support client-side web scripting languages such as Macromedia Flash or Shockwave. Many of these plug-ins are installed (semi-)transparently by a website. Users may thus not be aware that an at-risk helper object or plug-in is installed on his/her system. These additional plug-ins introduce more avenues for hackers to exploit to compromise computers of users visiting malicious web sites. In October 2007, for example, systems running Windows XP and Windows Server 2003 with Windows Internet Explorer 7 were found not to handle specially crafted Uniform Resource Identifiers (URIs) properly. By creating a specially crafted URI in a PDF document attackers were able to execute arbitrary commands on vulnerable systems. While some plug-ins such as Adobe Reader and Quicktime perform version checks and provide an update feature, these are often bothersome and ignored by users. It is often also difficult to detect which version of a plug-in is installed. For example, systems may have different versions of Shockwave installed for reasons of backward compatibility, but the user cannot easily discover which version or versions are running. These flaws have been widely exploited to install spyware, adware and other malware on users' systems. The spoofing flaws have been leveraged to conduct phishing attacks. In some cases, these vulnerabilities were zero-days i.e. no patch was available at the time the vulnerabilities were publicly disclosed. Many reported plug-ins were also widely exploited by malicious web sites before patches were made available by the vendor. In 2007 alone, Microsoft has released multiple updates for Internet Explorer. Cumulative Security Update for Internet Explorer (939653)
(MS07-057) C1.2 Operating Systems Affected While in theory any web browser on any operating system is vulnerable, the most common web browsers will tend to be targeted most by attackers. The two most popular web browsers on the Internet today are Microsoft Internet Explorer and Mozilla Firefox. Internet Explorer 5.x, 6.x and 7 running on all versions of Windows are affected Firefox running on any version of compatible operating systems is potentially vulnerable. As plug-ins are generally used to enable access to third party file formats, many plug-in vulnerabilities apply to all compatible browsers on all operating systems. Any web browser running on any version of any operating system is potentially vulnerable. C1.3 CVE Entries Internet Explorer Firefox Adobe Acrobat Reader The CVEs for plug-ins like Media Players are listed in the section C4. C1.4 How to Determine If You Are at Risk You can use any vulnerability scanner to check whether your systems are patched against these vulnerabilities. For Internet Explorer, consider using the Microsoft Windows Server Update Services (WSUS), Microsoft Baseline Security Analyzer (MBSA), Windows Live Scanner or Systems Management Server (SMS) to check the security patch status of your systems. To see the plug-ins most recently used by Internet Explorer 7, select Tools -> Internet Options. Under the Programs tab, select Manage Add-ons. You can select different views of browser plug-ins, including those currently loaded, plug-ins that have been used by Internet Explorer, and those configured to run without requiring permission. You can disable any of these by clicking on a specific add-on and selecting Disable. For Firefox, select Tools -> Options -> Content -> File Types -> Manage to see how Firefox will handle various file formats. Third-parties have begun releasing tools, such as Secunia PSI (currently in beta), which scan for browser helper object versions and patches. C1.5 How to Protect against These Vulnerabilities If you are using Internet Explorer on your Windows XP
system, the best way to remain secure is to upgrade to Windows XP Service
Pack 2. The improved operating system security and Windows Firewall will
help mitigate risk. For those unable to use Windows XP with Service Pack
2, switching away from Internet Explorer to an alternative browser is
the safest path.
To configure the security settings for Internet Explorer: Select Internet Options under the Tools menu.
Select Options under the Tools menu. Most plug-ins come with "Check for Updates"
feature. It can usually be found under "Options", Preferences"
or "Help" menus. C1.7 References US-CERT Securing Web Browser Information Internet Explorer 7 Desktop Security Guide Microsoft Internet Explorer Weblog Mozilla Security Center Firefox Vulnerabilities @Risk: The Consensus Security Alert C2. Office Software This section includes vulnerabilities for office productivity suites that include e-mail clients, word processors, spreadsheet applications, document viewers and presentation applications. Vulnerabilities in office products are typically exploited via the following attack vectors: An attacker sends a specially crafted office document
in an email. When the attachment is opened, the malformed contents in
the document exploit vulnerabilities in the office software. Microsoft Office is the most widely used email and productivity suite worldwide. It includes Outlook, Word, PowerPoint, Excel, Visio, FrontPage and Access. A large number of critical flaws were reported in MS Office applications and a few of them (CVE-2006-5574, CVE-2006-1305, CVE-2006-6456, CVE-2006-6561, CVE-2006-5994, CVE-2007-0515, CVE-2007-0671, CVE-2007-0045) were zero-day issues in which exploit code, technical details or proof-of-concept was publicly disclosed before any fix became available from Microsoft.
Microsoft Excel Remote Code Execution (MS07-002)
Windows 9x, Windows 2000, Windows XP, Windows 2003, Windows Vista, MacOS X are all vulnerable depending on the version of Office software installed.
C2.4 How to Determine If You Are at Risk Microsoft Office installations running without the patches referenced in the Microsoft Bulletins listed from the CVE entries are vulnerable. Use a vulnerability scanner to check whether your systems are patched against these vulnerabilities. Also consider using the Microsoft Windows Server Update Services (WSUS), Microsoft Baseline Security Analyzer (MBSA), Windows Live OneCare or Systems Management Server (SMS) to check the security patch status of your systems. C2.5 How to Protect against Office Vulnerabilities Keep the systems updated with all the latest patches and
service packs. If possible enable Automatic Updates on windows systems.
Securing Microsoft Office C3. Email Clients E-mail is one of the vital applications of the Internet. E-mail provides tremendous savings it terms of time, money and efficiency. Given its omnipresence, e-mail provides a common vector for multiple vulnerabilities. Multiple avenues of attack that can be employed through email: Distribution of malware (viruses, Trojans, keyloggers,
spyware, adware, rootkits etc); damage to applications, data, or operating system; The most popular e-mail applications currently are Microsoft Outlook (Microsoft Windows only) and Outlook
Express (Microsoft Windows only; old versions were available for Apple
Macintosh); No matter what operating system or e-mail client application is used, precautions should be taken whenever handling email (See C3.4 How to Protect Against The Email Vulnerabilities for details). C3.2 Operating Systems Affected Windows 2000 Workstation and Server, Windows XP Home and Professional, Windows Vista, Windows Server 2003, Mac OS X, Linux and Unix are all potentially vulnerable. C3.3 CVE Entries Microsoft Outlook Express, Outlook, Vista Windows Mail Mozilla Thunderbird, SeaMonkey Eudora C3.4 How To Protect Against Vulnerabilities in Email Clients Remove all e-mail client software from production server
systems, or where otherwise unnecessary. Outlook/Outlook Express/Windows Mail Outlook Express is bundled with Internet Explorer and
installed by default on Windows 98, 2000, XP, 2003. If Outlook Express is not required on the system, it is
recommended to uninstall it. Outlook Express - Tools - Options - Read - Select “Read
all messages in plain text” Settings for Outlook 2003: Outlook - Tools - Options - Preferences - Email Options
- Select “Read all standard mail in plain text” Configuration settings for Mozilla Thunderbird (versions 2.0 and later) Thunderbird - View - Message body as - Select “Plain
text”
Browsing the Web and Reading E-mail Safely as an Administrator
How to view all e-mail messages in plain text format Overview of Cryptography in Outlook 2003 Digital signatures and encryption (Outlook 2007) Service Packs (Microsoft Office and Microsoft Outlook) Microsoft Office downloads Block or unblock links in suspicious phishing messages Customizing the Outlook Security Features Administrative
Package Security and privacy-related preferences (Thunderbird) Security Policies (Thunderbird) C4. Media Players C4.1 Description To play or display any multimedia content (music, video, pictures, drawings, etc.), regardless of origin, your computer needs an application called a media player. Music and videos are commonly downloaded from the Internet, usually for entertainment, news, education, and/or business content. Most modern operating systems are automatically configured with at least one standard media player software package. Third party applications are also available that play formats not normally supported by the standard application set. Such support is usually required for proprietary formats that vendors must license in order to add compatibility to their media player application. These additional applications are usually installed on an as-needed basis - at times even automatically - in order to provide support for the requested multimedia content. Once these applications are installed they may be easily forgotten and overlooked by IT administrators who are responsible for patch management and support, usually because they are not aware of their existence on each deployed system. Over the past year vulnerabilities have been released for most popular media players available today. While the severity of the vulnerabilities varies, these vulnerabilities can often be used to install malware such as viruses, bot-net applications, root kits, spy-ware, and ad-ware. While this list does provide a detailed overview of popular media players and their associated vulnerabilities, it does not attempt to be an exhaustive list of all media players and their associated vulnerabilities. Many of these vulnerabilities do have publicly available exploit code and are being actively exploited in the wild. The media players for the major platforms are: Windows: Windows Media Player, RealPlayer, Apple Quicktime,
Adobe Flash Player, Apple iTunes Microsoft Windows RealPlayer Apple iTunes Adobe Flash Player Apple Quicktime Windows Media Player C4.4 How to Determine If You Are Vulnerable Using any media player that has not been patched or upgraded to the most recent version is a potential problem. Good system inventory and patch management practices will help you be proactive against threats from and attacks via media player applications. C4.5 How to Protect Against Media Player Vulnerabilities The following are some common best practices to protect against vulnerabilities associated with media players: Ensure media players are regularly updated with all the
latest patches. Most players support updating via the help or tools menus.
RealNetworks Media Player Products Home Page Apple QuickTime Home Page Apple iTunes Home Page Windows Media Player Adobe Flash Player Homepage Security Reports and Other Links General Networking Measures to Mitigate the Impact of Client-side Vulnerabilities: Users should be restricted from surfing any potentially
dangerous URLs via URL blocking Web-based applications such as Content Management Systems (CMS), Wikis, Portals, Bulletin Boards, and Discussion Forums are used by small and large organizations. A large number of organizations also develop and maintain custom-built web applications for their businesses (indeed, in many cases, such applications are the business). Every week hundreds of vulnerabilities are reported in commercially available and open source web applications, and are actively exploited. Please note that the custom-built web applications are also attacked and exploited even though the vulnerabilities in these applications are not reported and tracked by public vulnerability databases such as @RISK, CVE or BugTraq. The number of attempted attacks for some of the large web hosting farms range from hundreds of thousands to even millions every day.
All web frameworks (PHP, .NET, J2EE, Ruby on Rails, ColdFusion, etc.) and all types of web applications are at risk from web application security defects, ranging from insufficient validation through to application logic errors. The most exploited types of vulnerabilities are: PHP Remote File Include: PHP is the most common web application
language and framework in use today. By default, PHP allows file functions
to access resources on the Internet using a feature called "allow_url_fopen".
When PHP scripts allow user input to influence file names, remote file
inclusion can be the result. This attack allows (but is not limited to):
Web scanning tools can help find these vulnerabilities, particularly if they are known bugs. However, to find all potential vulnerabilities requires a source code review as well as an application penetration test. These should be done by the developers prior to release of any important web application. Inspect your web application framework's configuration and harden appropriately. System administrators should consider scanning web servers periodically with vulnerability scanners, particularly if they run a large or diverse range of user-supplied scripts (such as on a hosting farm). No person should be engaged to write web applications unless they can pass the GSSP Secure Software Programming exam that covers the essential security skills and knowledge that developers need to produce more secure applications. S1.3 How to Protect against Web Application Vulnerabilities From the PHP system administration and hosting perspective: Upgrade to PHP 5.2 as it eliminates many latent PHP security
issues and allows for safer APIs, such as PDO If you use PHP, migrate your application to PHP 5.2 as
a matter of urgency. OWASP - Open Web Application Security Project OWASP Testing Guide OWASP Guide - a compendium of secure coding OWASP Top 10 - Top 10 web application security weaknesses
PHPSecInfo GSSP Exam blueprints and testing schedule S2. Windows Services The family of Windows Operating systems supports a wide variety of services, networking methods and technologies. Many of these components are implemented as Service Control Programs (SCP) under the control of Service Control Manager (SCM), which runs as "services.exe". Vulnerabilities in the services that implement these operating system functions are some of the most common avenues for exploitation. When you first install Microsoft Windows Server 2003, Microsoft Windows XP, or Windows Vista some services are installed and configured to run by default whenever the computer is restarted. On Windows Server 2003 the specific services enabled with correspond to the role that is assigned to each server. You may not need all of the default services in your environment, and you should disable any unneeded services to enhance security. A service must log on to access resources and objects in the operating system, and most services are not designed to have their default logon account changed. If you change the default account password, the service will probably fail. If you select an account that does not have permission to log on as a service, the Microsoft Management Console (MMC) Services snap-in automatically grants that account the ability to log on as a service on the computer. However, this automatic configuration does not guarantee that the service will start. Windows Operating Systems include three built-in local accounts that are used as the logon accounts for various system services: Local System account. The Local System account is a powerful account that has full access to the computer and acts as the computer on the network. If a service uses the Local System account to log on to a domain controller, that service has access to the entire domain. Some services are configured by default to use the Local System account, and this should not be changed. The Local System account does not have a user-accessible password. Local Service account. The Local Service account is a special, built-in account that is similar to an authenticated user account. It has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your computer if individual services or processes are compromised. Services that use the Local Service account access network resources as a null session with anonymous credentials. The name of this account is NT AUTHORITY\Local Service, and it does not have a user-accessible password. Network Service account. The Network Service account is also a special, built-in account that is similar to an authenticated user account. Like the Local Service account, it has the same level of access to resources and objects as members of the Users group, which helps safeguard your computer. Services that use the Network Service account access network resources with the credentials of the computer account. The name of the account is NT AUTHORITY\Network Service, and it does not have a user-accessible password. Graphical user interface (GUI) - based tools can help you edit services. However, versions of these tools that were included with earlier versions of the Windows operating system (before Windows Server 2003) automatically apply permissions to each service when you configure any of the properties of a service. Tools such as the Group Policy Object Editor and the MMC Security Templates snap-in use the Security Configuration Editor DLL to apply these permissions. For example, when you use the MMC Security Templates snap-in to configure the startup state of a service in Windows XP, the following dialog box will display:
Regardless of whether you click OK or Cancel, the permissions will be applied to the service that is being configured. Unfortunately, the permissions that this dialog box proposes do not match the default permissions for most services that are included with Windows. In fact, the permissions will cause a variety of problems for many services. We suggest you not alter the permissions on services that are included with Windows XP or Windows Server 2003 because the default permissions are already quite restrictive. You have several options to deal with this scenario: Use the Security Configuration Wizard, an optional Windows
component that is included with Windows Server 2003 Service Pack 1 (SP1).
Use this approach when you need to configure services and network port
filters for various Windows Server 2003 server roles. S2.2 Operating Systems Affected Windows XP Home and Professional, Windows 2003 and Windows Vista are all potentially vulnerable. S2.3 CVE Entries CVE-2007-0213, CVE-2007-1748, CVE-2007-0938, CVE-2006-5584, CVE-2006-5583, CVE-2006-4691 CVE-2006-0027, CVE-2006-1314, CVE-2006-2370, CVE-2006-2371, CVE-2006-3439 S2.4 How to Determine If You Are at Risk Use any vulnerability scanner to check whether your systems
are patched against these vulnerabilities. You can also consider using
the Microsoft Windows Server Update Services (WSUS), Microsoft Baseline
Security Analyzer (MBSA), Windows Live Scanner or Systems Management Server
(SMS) to check the security patch status of your systems. US Government users of Windows are now required to use
the Federal Desktop Core Configuration for Windows XP or Vista. (http://fdcc.nist.gov/
) Other organizations will find the FDCC to be a reliable and safe configuration,
as well. Table 1. Disabled Windows Services on Windows Clients
In some cases, null session access to the vulnerable interface could be removed as a work-around. It is a good practice to review your current RestrictAnonymous settings and keep them as stringent as possible based on your environment. http://www.securityfocus.com/infocus/1352 S2.6 References Threats and Countermeasures: Security Settings in Windows
Server 2003 and Windows XP Windows XP Security Guide Windows Server 2003 Security Guide Using Windows Firewall Security Configuration Wizard for Windows Server 2003 How to use IPSec IP filter lists in Windows 2000 How to block specific network protocols and ports by using
IPSec How to configure TCP/IP filtering in Windows 2000 S3. UNIX/Mac OS Services Most Unix/Linux systems include multiple standard services in their default installation. Mac OS X often suffers from the same vulnerabilities as Unix systems, since it is based on Unix. Unnecessary services should be disabled, and all servers facing open networks should be protected by a firewall. For services which provide remote login and/or remote service, traffic cannot be simply blocked by firewalls. Buffer overflow vulnerabilities and flaws in authentication functions can often allow a vector for arbitrary code execution, sometimes with administrative privileges, so gathering vulnerability information and patching rapidly are very important. Every year, buffer overflow vulnerabilities in Unix/Linux services are found. These services, even if fully patched, can be the cause of unintended compromises. Brute-force attacks against remote services such as SSH, FTP, and telnet are still the most common form of attack to compromise servers facing the Internet. Over the last couple of years a concerted effort has been made by attackers to recover passwords used by these applications via brute-force attacks. Increasingly worms and bots have brute-force password engines built into them. Systems with weak passwords for user accounts are actively and routinely compromised; often privilege escalations are used to gain further privileges, and rootkits installed to hide the compromise. It is important to remember that brute forcing passwords can be a used as a technique to compromise even a fully patched system. Security-conscious administrators should use SSH or another encrypted protocol as their method of interactive remote access. If the version of SSH is current and it is fully patched, the service is generally assumed to be safe. However, regardless of whether it is up to date and patched SSH can still be compromised via brute-force password-guessing attacks. Use public key authentication mechanism for SSH to thwart such attacks. For the other interactive services, audit passwords to ensure they are of sufficient complexity to resist a brute-force attack. Minimizing the number of running services on a host will also make it more secure. Many services have been used to further exploits and some combinations of services (such as web servers and FTP servers that share published directories) are particularly prone to exploits. S3.2 Affected OSs All versions of Unix/Linux/Mac OS Server are potentially at risk from improper and default configurations. All those OS versions may be affected by accounts having weak or dictionary-based passwords for authentication. S3.3 CVE Entries Remote services Kernel/Libraries Management Console/Tools Others S3.4 How to Determine If You Are Vulnerable Default installations (either from the manufacturer or by an administrator) of operating systems or network applications may include a wide range of unneeded and unused services. In many cases the uncertainty about operating system or application needs leads many manufacturers or administrators to install a large amount of software in case it is needed in the future. This simplifies the installation process significantly but also introduces a wide range of unneeded services and user accounts that have default, weak, or known passwords. The use of an updated vulnerability scanner or a port mapper can be highly effective in discovering any potential vulnerabilities left by default installations, such as unneeded and/or outdated services or applications. Also, a password cracker can help to avoid the use of weak or easily compromised passwords. Note: never run a password cracker/vulnerability scanner, even on systems for which you have root-like access, without explicit, written permission from your employer. Administrators with the most benevolent of intentions have been fired and prosecuted for running password cracking tools without the authority to do so. S3.5 How to Protect Against These Vulnerabilities Disable unnecessary services Scan the server with a port scanner or vulnerability assessment
tool to determine what unnecessary services are running on a system. Disable
the services that are not required by any necessary applications. Use the Center for Internet Security benchmarks from www.cisecurity.org
for your OS and services you use. Also consider using Bastille (www.bastille-linux.org)
to harden Linux and HP-UX based hosts. Deploy hardware/software firewall and IDS/IPS to detect
and block attacks and protect required services. If possible, limit the
source IP addresses for remote logins and services. Don't use default passwords on any account. Where possible, limit the functions of the host. Misconfigurations in multiple services may often increase the risk to a service.
Brute Force Attacks and Counter Measures General UNIX Security Resources S4. Backup Software Backup software is an extremely valuable asset for any organization. Backup software typically runs on many systems throughout an enterprise. In recent years, the trend has been to consolidate backup functions onto few servers, or even a single server. The hosts requiring backup services communicate with the backup server via the network. Interaction with the server generally conforms to a push approach, where the client sends data to the server to be backed up, or a pull approach, where the server polls for new data to be backed up from the client, or a combination of these two approaches. During 2007 many critical backup software vulnerabilities were discovered. Since the backup software generally runs with high privileges to read all files on a system, vulnerabilities in backup software have led to severe security vulnerabilities. Some of these vulnerabilities were exploited to completely compromise systems running backup servers and/or backup clients. Attackers leveraged these flaws for enterprise-wide compromise and obtained access to the sensitive backed-up data. Exploits have been publicly posted for many of these flaws, and these vulnerabilities are often exploited in the wild. S4.2 Operating Systems and Backup Software Affected All operating systems running backup server or client software are potentially vulnerable to exploitation. The affected operating systems tend to be Windows and Unix systems, as these systems form the preponderance of enterprise clients and servers. The following popular backup software packages have had critical vulnerabilities: Computer Associates (CA) BrightStor ARCServe has had dozens
of easy-to-exploit vulnerabilities with exploit code widely available.
Backup data often contains all of, or at least large portions of, the data on a given system. Generally the backup data is stored in a centralized location and is often unencrypted. Physical security of backup media is of the utmost importance, as theft or analysis of backup media can provide complete access to critical data with little or no additional effort. If at all possible, backed up data should be encrypted with strong encryption, and the methods for decryption should be available only to trusted individuals. S4.4 CVE Entries CVE-2007-5332, CVE-2007-5330, CVE-2007-5328,, CVE-2007-5327,, CVE-2007-5325,, CVE-2007-5006,, CVE-2007-5004,, CVE-2007-5003, CVE-2007-3825, CVE-2007-3216, CVE-2007-2864, CVE-2007-2863, CVE-2007-2139,, CVE-2007-1447,, CVE-2007-5126, CVE-2007-3509, CVE-2007-2279, CVE-2007-3618 S4.5 How to Determine If You Are Vulnerable Use any vulnerability scanner to detect vulnerable backup
software installations. Ensure the latest vendor supplied software patches are
installed on the clients and servers. Anti-virus software is seen as a required basic tool within the "defense-in-depth" toolbox to protect systems today. Anti-virus software is now installed on almost all desktops, servers and gateways to combat virus outbreaks. During 2007, attackers have shifted their focus to exploit security products used by a large number of end users. This includes anti-virus and personal firewall software. The discovery of vulnerabilities in anti-virus software is not limited to desktop and server platforms: gateway solutions are also affected, and compromising a gateway could cause a much larger impact since the gateway is the outer layer of protection and the only protection against some threats in many small organizations. Multiple remote code execution vulnerabilities have been discovered in the anti-virus software provided by various vendors including Symantec, F-Secure, Trend Micro, McAfee, Computer Associates, ClamAV and Sophos. These vulnerabilities can be used to take a complete control of the user's system with limited or no user interaction. Anti-virus software has also been found to be vulnerable to "evasion" attacks. By specially crafting a malicious file (for instance, an HTML file with an executable header) it may be possible to bypass anti-virus scanning. These evasion attacks can be exploited to create a vector for malware propagation, or bypass systems that would otherwise limit malware propagation. S5.2 Operating Systems Affected Any system with an installed anti-virus application or scanning engine meant to scan for malicious data could be affected. This includes solutions installed on desktops, servers and gateways. Any platform could be affected, including all Microsoft Windows and Unix systems. S5.3 CVE Entries Avast! AVIRA BitDefender ClamAV Computer Associates HAURI F-Secure Kaspersky Mcafee Panda Sophos Symantec Trend Micro S5.4 How to Determine If You Are Vulnerable If you are running any release of any anti-virus software that has not been updated to the latest version, you are likely to be affected. S5.5 How to Protect against Anti-virus Software Vulnerabilities Ensure that all of your anti-virus software is regularly
and automatically updated.
Below is a list of anti-virus vendors to check for upgrades, patches and security advisories. Anti-virus Security Advisories https://www2.sans.org/newsletters/risk/display.php?v=6&i=29#widely7
(Symantec) http://www.kb.cert.org/vuls/id/968818 http://www.cert.org/other_sources/viruses.html Applications such as on-server virus and spam filters, directory servers, and management and monitoring systems pose a unique security challenge; in addition to opportunities for compromising the system hosting them, they provide opportunities to attack other systems. S6.2 Applications Affected These applications can be divided into multiple categories: Directory Servers - Used to maintain user and system information.
Compromising these applications can give access to large amounts of information,
including usernames and (possibly encrypted) passwords. S6.3 CVE Entries CVE-2006-5478, CVE-2006-4509, CVE-2006-4510, CVE-2006-4177, CVE-2006-2496, CVE-2006-0992, CVE-2005-3653, CVE-2005-1928, CVE-2005-1929 S6.4 How to Determine If You Are at Risk Use a vulnerability scanner. Keep the systems updated with all the latest patches and
service packs. if provided, use an automatic update system. Trend Micro ServerProtect Multiple Vulnerabilities Trend Micro Home Page CA iTechnology iGateway Buffer Overflow CA Home Page Novell eDirectory iMonitor Remote Buffer Overflows Novell Home Page Symantec Sygate Management Server SQL Injection Symantec Home Page HP OpenView Multiple Remote Command Execution HP OpenView Storage Data Protector Remote Code Execution HP OpenView Home Page Barracuda Spam Firewall Remote Command Injection Barracuda Home Page S7. Database Software S7.1 Description Databases provide the ability to store, search and manipulate large amounts of data. They are key elements of many systems, even though their presence may not be directly visible to users. They are found in many common applications including financial, banking, customer relationship management and system monitoring software. Due to the valuable information they often store, such as personal and financial details, databases are often a target of attack and are of particular interest to identity thieves. Database systems are often very complex, combining the core database with a collection of applications. Some of these applications are supplied by the database vendor, others (such as web applications) are written by users in house. A flaw in any of these components can compromise the stored data. It is not sufficient to protect the database alone, all the associated applications need to be secured. The most common vulnerabilities in database systems are: Use of default configurations with default user names
and passwords. All modern databases can be accessed over networks, which means that anyone with network access and readily available query tools can attempt to connect directly to the database. The commonly used default connections are: Microsoft SQL via TCP port 1433 and UDP port 1434, Oracle via TCP port 1521, IBM DB2 via ports 523 and 50000 up, IBM Informix via TCP ports 9088 and 9099, Sybase via TCP 4100 or 2025, MySQL via TCP port 3306, and PostgreSQL via TCP port 5432. Due to the network connections they provide, databases may suffer from worms; there have been examples of worms attacking Microsoft SQL and Oracle. In addition to addressing the specific vulnerabilities mentioned here, administrators concerned with database security should consider: The impact of standards such as the Payment Card Industry
Data Security Standard that may require encryption of some information
such as credit card numbers or prohibit the storage of some types of information.
Most database systems, commercial and open source, run on multiple platforms. Issues regularly cover all supported platforms. S7.3 CVE Entries These are the entries released since September 2006 that have a CVSS base score of 7 or more. Earlier vulnerabilities can be found in previous editions of this SANS document. In many cases reported issues are not flaws in the databases themselves but in applications built around them, e.g. SQL injection into web interfaces; these have not been included here. IBM DB2 CVE-2007-1086, CVE-2007-1087, CVE-2007-1088, CVE-2007-1089, CVE-2007-2582, CVE-2007-5652. IBM Informix None during this reporting period. Microsoft SQL Server CVE-2007-4814
None during this reporting period. Oracle Note: Oracle releases quarterly Critical Patch Updates (CPU) covering large numbers of issues in the database and associated applications. The list above contains vulnerabilities in the core Oracle database programs for which there is specific information. There are many other vulnerabilities about which there is no public information other than the advice to apply the CPU. PostgreSQL CVE-2007-0555. Note: other issues have been recorded in vulnerability lists as a result of a white paper on PostgreSQL security, but the developers argue that these are not security issues. Sybase None during this reporting period. S7.4 How to Determine If You Are Vulnerable It is not sufficient to check a simple, manually maintained list of the applications that have been installed. Because databases are often distributed as components of other applications, it is possible for a database to be installed without administrators realizing it. Databases may therefore remain unpatched or in vulnerable default configurations. Perform a vulnerability scan on systems to determine whether database software is available, accessible and vulnerable. In addition to general-purpose vulnerability scanners there are specialized tools, both commercial and public domain; a web search for "database security scanners" will identify possible tools. They vary from simple network service scanners, though systems that check for default configurations and passwords, to systems that check the detailed configurations of specific makes of databases. S7.5 How to Protect Against Database Vulnerabilities Ensure that all DBMS patches are up to date. Unpatched
or outdated versions are likely to include vulnerabilities. Check vendor
sites for patch information. Remain up to date with the vulnerabilities
and alerts announced by the vendors:
Generic and multiple database resources SANS reading room on database security: http://www.sans.org/reading_room/catindex.php?cat_id=3
http://www.net-security.org/dl/articles/Securing_IBM_DB2.pdf
http://www.databasesecurity.com/informix.htm http://www.microsoft.com/sql/techinfo/administration/2000/security/default.mspx
SecurityFocus step-by-step guide to securing MySQL: http://www.securityfocus.com/infocus/1726
SANS Comprehensive Security Checklist for Oracle: http://www.sans.org/score/oraclechecklist.php
http://www.postgresql.org/support/security Sybase Guide to Sybase security: http://www.niiconsulting.com/innovation/Sybase.pdf
H1. Excessive User Rights and
Unauthorized Devices Some attacks cannot be effectively prevented by technical controls alone. Unwary users can be enticed to do unsafe things. Clever users can find unsafe ways to get things done, unintentionally exposing their employers to multiple threats. To prevent such threats from exploiting these weaknesses, administrative controls are needed to supplement technical and physical controls. In time, technical controls may be able to enforce policies that proscribe user behavior; but until this is achieved, periodic reviews are essential in order to ensure that administrative controls are effective. It is also essential to establish a process that will detect these violations and ensure that any non-compliant system is brought back to a state of compliance in an efficient manner. H.1a Unauthorized and/or infected devices on network The best efforts to secure an information system are futile if users connect unauthorized devices to the network or to a computer system. A rogue wireless access point can be an open door to any malicious individual wanting to gain access to the network. A personal laptop connected to a corporate network can introduce whatever malware infecting it onto the network. Unsecured corporate laptops that have been connected to an unsafe public networks will eventually bring back all the malware they have collected to be shared with the entire organization. Thousands of computers have been compromised by attacks where the laptop's owner is specifically targeted in order to infect the laptop with a Trojan horse that "calls home" once it has been connected to the corporate network. This allows an outsider full access into a previously secure network. The same goes for an outsider able to connect an unknown device onto the corporate network, this could simply be a laptop or a higher risk issue like a wireless access point. Policies must address such issues as rogue devices and infected systems in order to ensure adequate protection of the corporate computing infrastructure, but without verification policies are usually ineffective. Network access control has become an important tool to address such issues. Continuous monitoring of data flows and network connections can immediately identify unauthorized devices. In addition, network access control systems can detect malware as well as ensure that patches and malware signatures are up to date. They can then segregate systems which do not meet the policy and place them in quarantine until they have met corporate standards defined in the policy. H.1b Excessive User Rights and Unauthorized software Unmanaged software introduces multiple risks for the corporation. That software may contain security vulnerabilities, and users may not be sufficiently informed or motivated to apply patches regularly. Furthermore users (or people using their computer without corporate approval like children or spouses) can install software which, without the users’ knowledge, contains malware which could lead to a network or data compromise. Users may also install software providing functionality (e.g. peer-to-peer file sharing) that invites new vulnerabilities into the network environment. Those responsible for information security should consider implementing policies, and associated detective and corrective controls, to mitigate such vulnerabilities. Organizations are vulnerable if users are granted sufficient rights which allow them to install software themselves in an uncontrolled fashion. It can also lead to pirated software being installed on corporate systems which opens another range of issues from a legal perspective. In order to address this, it is essential to enforce a policy of limiting user rights to the least privilege required to perform job related duties. This will in fact eliminate issues relating to malware, potentially unwanted programs and pirated software being installed by the user himself. H1.2 References http://www.isaca.org/Template.cfm?Section=Home&CONTENTID=17170&TEMPLATE=/ContentManagement/ContentDisplay.cfm H2. Phishing/Spear Phishing Online Identity Theft The word "phishing" was first used around 1996 when hackers began stealing America On-Line accounts by sending email to AOL users, that appeared to come from AOL. Phishing attacks now target users of online banking, payment services such as PayPal, online e-commerce sites, and web-based e-mail sites. Phishing attacks are growing quickly in number and sophistication. In fact, most major banks in the USA, the UK and Australia have been hit with phishing attacks. Spear Phishing Voice Phishing H2.2 Affected Operating Systems Phishing is a social engineering technique that targets users. While various application add-ons can provide some defense against phishing techniques, all operating systems can be considered equally affected because the attack target is the end user. There is a natural human instinct to trust; phishing attacks attempt to exploit this. While they leverage flaws in browsers, email systems, and DNS, they do so only to enhance the appearance of legitimacy: ultimately it is the end user that is tricked into providing information to the phishers. H2.3 How to Determine if You Are at Risk Phishing mostly uses social engineering techniques to ensure success. Awareness of such techniques can diminish the chance of being in risk of such attacks. Identity thieves may also use computer intrusions into organisations such as online businesses to gather large amounts of credit card or other identification information. They may also attempt to harvest information that is available on public Internet sites; do not expose too much information about yourself or your family members (e.g. addresses and phone numbers) to community web sites such as MySpace, Orkut and Facebook H2.4 How to Protect against Phishing Attacks Since phishing attacks are aimed at users, user awareness is a key defense. The most promising method of stopping spear phishing is continuous periodic awareness training for all users; this may even involve mock phishing attempts to test awareness. Less effective, but still valuable methods include: Do not mass e-mail your customer base with web links directed
to your site or any other website. Doing so teaches your customer base
to accept such emails as normal.
Anti-Phishing Working Group 3sharp study Gone Phishing: Evaluating Anti-Phishing Tools
for Windows VoIP Phishing Scams The Ghost In The Browser; Analysis of Web-based Malware Phone phishing: The role of VoIP in phishing attacks Phishing and Spamming via IM (SPIM) Suspicious e-Mails and Identity Theft H3. Unencrypted Laptops and Removable Media Loss of laptops and removable media has become a major liability for corporations and government agencies as well as for general consumers. All too frequently, a major loss of personal or identifying information is traced back to the loss of a single laptop or piece of removable media. In the past, personal data was stored in paper records or on centralized systems. With growth in computer storage, it is possible to store large amounts of personal information on laptops, desktops, or portable media. This portability places data at a greater risk of loss or compromise, both from malice and simple human forgetfulness. Since removable storage devices are designed specifically for portability, they also tend to be easy to lose or misplace. Since portable storage devices are often shared between machines, they provide a potent vector for malware propagation. Users often share media between enterprise and personal systems, providing an obvious opportunity for viruses and other malware to spread between networks and physical locations. Identities exposed by recent laptop losses: Company IDs exposed by loss of unencrypted device Statistics from: http://www.privacyrights.org/ar/ChronDataBreaches.htm
Every company has some data that must be protected: trade secrets, personally identifying information about employees, human resources and payroll data, sales data, price sheets, contacts, customer databases, and so on. In the absence of active controls that ensure all portable devices and removable media are encrypted and accounted for, some risk of loss is present. Here are questions that can help determine the level of risk: What policy is in place regarding moving sensitive data
onto removable media or portable computers? At the most basic level, a written security policy regarding
portable computers and removable media is necessary. This policy should
be reviewed and approved by senior management. If at all possible, the
policy should mandate the encryption of all data on portable computers
and removable media. Use Group Policy to disable USB, CD-ROM and Floppy Disk Listing of breaches of personal information Listing of State Laws about disclosure after the loss
of personally identifiable information (PII) Loss of Laptops Loss of USB drives Loss of backup tapes In April, Iron Mountain lost its fourth shipment of backup
tapes in 2005 - this time containing data about 600,000 current and former
employees of Time Warner. In June, Citigroup announced that back-up tapes being
sent via UPS were lost in transit; data including Social Security numbers
on 3.9 million consumer lending customers were lost. In November, Marriott International realized that some
back-up tapes for its Vacation Club were missing; at the end of the year,
it announced that the lost or stolen tapes contained credit-card and Social
Security number data on 206,000 clients and also on some employees. Application Abuse: Instant messaging (IM) is increasingly being accepted as a legitimate method of communication for both personal and business use. IM applications are available on diverse platforms, ranging from traditional PC-based IM to Mobile IM on Personal Digital Assistants (PDAs) and Cell Phones. This widespread use of instant messaging, while convenient for users, can significantly increase the security risks for both organizations and individual users. Attacks include variants of e-mail worms spread through the use of instant messaging, new variations in the establishment and spread of botnets, and the use of compromised instant messaging accounts to lure users into revealing sensitive information. The general risk areas related to instant messaging are: Malware -- Worms, viruses, and Trojans transferred through
instant messaging. Many bots are controlled via IRC (instant message)
channels. Popular instant message applications include: AOL Instant Messenger (AIM), Gaim, ICQ, Jabber Messenger, Lotus Sametime, Skype, QQ, Windows Live Messenger (WLM), Google Talk, Trillian and Yahoo! Messenger. Instant messaging protocols include: IRC, MSNP, OSCAR, SIMPLE, XMPP and YMSG. A1.2 Affected Operating Systems Instant messaging applications are available for all popular operating systems. A1.3 CVE Entries CVE-2007-1680, CVE-2007-2418, CVE-2007-2478, CVE-2007-2931, CVE-2007-3305, CVE-2007-3832, CVE-2007-3928, CVE-2007-4579 A1.4 How to Protect against IM Vulnerabilities and Unauthorized IM Usage Establish policies for acceptable use of instant messaging
and ensure that all users are aware of those policies and clearly understand
the potential risks. Phishers hijack IM accounts Instant messaging: a new target for hackers AIM bot creates "fight combos" to spread Secure Instant Messaging in the Enterprise Remote command execution, HTML and JavaScript injection
vulnerabilities in AOL's Instant Messaging software A2. P2P File Sharing Applications Peer to Peer networks consist of collections of computers or “nodes” that simultaneously function as both “clients” and “servers” to achieve a common purpose. The nodes may exchange data, share resources, provide directory services, support communications and provide real time collaboration tools. Several control and communication architectures are utilized. Centralized index servers can provide directory services for data and service availability. In fully distributed networks each node helps with the indexing and directory services and is fully equivalent. Hybrid architectures combine the features of both to different degrees and groups of nodes may “elect/promote” certain nodes to act as regional index/directory servers. Many legitimate applications use P2P. Software tool vendors, including Microsoft and Sun, provide a variety of tools and encourage development of P2P applications. However, like any data transfer tool, P2P applications can be misused or exploited to illegally share copyrighted material; obtain confidential data; expose users to unwanted pornography, violence or propaganda; distribute and execute malware (viruses, spyware, bots, etc.); overload the network; mine usage and behavior patterns; and control bots, all of which can create a legal liability. The liability and legal prosecution may not be limited to the perpetrator and may be extended to the network sponsor, supporters or members. The P2P networks themselves may be attacked by modifying legitimate files with malware, seeding malware files into shared directories, exploiting vulnerabilities in the protocol or errors in coding, blocking (filtering) the protocol, denial of service by making the network function slowly, spamming and identity attacks that identify network users and harass them. Legal action has been successfully used to shut down some popular networks that were culprits of copyright infringement. The Storm Worm uses eDonkey/Overnet Peer to Peer protocol to communicate with infected hosts. It is estimated to run on as many as 1,000,000 to 50,000,000 infected and compromised computer systems as of September 2007. P2P concepts and techniques are evolving and can be found in: File sharing networks - whose main goal is to share resources
such as storage and bandwidth. These operate through a distributed network
of clients, sharing directories of files or entire hard drives of data.
Clients participate by downloading files from other users, making their
data available to others and coordinating file searches for other users.
A2.2 Operating Systems Affected There are versions of P2P software available for all Microsoft Windows operating systems currently in use, along with versions for Linux, MacOS and most Unix-like Operating Systems. A2.3 Detecting P2P activity Detecting P2P activity on the network can prove to be challenging. It is possible to detect P2P software running on your network by: Monitoring traffic for certain TCP/UDP ports works well
for older P2P programs. However, many P2P programs have moved on to using
http, https and other ports that commonly need to be passed through firewalls
and proxies. Standard users should not be permitted to install software. Restrict Administrative and Power User level privileges to support personnel acting in their support capacity. If a user must have Administrative or Power User privileges, create a separate account to be used for his/her daily office functions, Internet surfing and on-line communication.
Tripwire or AIDE (there are commercial and open source
versions of the product) can be used to detect changes in files. Samba-based shares can be configured to run a filter upon
opening or saving of files. A filetype detector and alerting system could
prove useful to avoid misusage of shares. A2.5 References Wikipedia Peer-to-peer Storm Worm Department of Justice Cybercrime web site Other software providers could be held secondarily liable
for copyright infringement. FBI Education initiative The Information Factories Mobile Service Clouds: A Self-managing Infrastructure
for Autonomic Mobile Computing Services Cyber Security Tip ST05-007 - Risks of File-Sharing Technology Risks of P2P File Sharing (Presentation) Securing Windows XP Professional in a Peer-to-Peer Networking
Environment Identifying P2P users using traffic analysis - Yiming
Gong - 2005-07-21 Bot software looks to improve peerage Stop the bots How to block specific network protocols and ports by using
IPSec (MS KB article 813878) Using Software Restriction Policies to Protect Against
Unauthorized Software Availability and description of the Port Reporter tool
(MS KB article 837243) New features and functionality in PortQry version 2.0
(MS KB article 832919) Log Parser 2.2 Browsing the Web and Reading E-mail Safely as an Administrator
(DropMyRights) Amazon Cloud Computing goes beta Checkpoint Application Intelligence Microsoft site search for peer-to-peer Instant-Messaging-and-P2P-Vulnerabilities-for-Health-Organizations Detecting and Understanding Rootkits Application Layer Packet Classifier for Linux Network Devices: Use of VoIP technologies has continued to expand during the past year. Rapid adoption to garner the economic advantages of VoIP has led many to overlook, or even set aside, security concerns. Vulnerabilities can exist throughout a VoIP network, from mismanaged and unpatched call proxy and media servers to the VoIP phones themselves. Vulnerabilities have been found in products such as Cisco Unified Call Manager and Asterisk, along with VoIP phones from multiple vendors. By leveraging those vulnerabilities, attackers can carry out VoIP phishing scams, eavesdropping, toll fraud, or denial-of-service attacks. Poorly designed implementations can provide inroads to data networks and researchers are continuing to uncover additional areas for potential attack, such as cross site scripting through VoIP clients. As many VoIP servers -- especially the ones at VoIP service providers -- are an interface between SS7 (traditional phone signaling) and IP networks, an attacker capable of compromising a vulnerable VoIP server could potentially manipulate the SS7 signaling interconnection to disrupt services on the Public Switched Telephone Network (PSTN). N1.2 CVE Entries Asterisk Cisco Call Manager VoIP Phones Avaya Cisco IOS N1.3 How to Mitigate These VoIP Vulnerabilities Consider security concerns as an integral part of any
VoIP implementation. Additional caution should be taken at the product
selection phase to ensure the VoIP product vendors support OS patches
as they are released. Many VoIP vendors will void support for unapproved
patches and may take considerable time before approving them.
Asterisk Security Advisories Cisco Security Advisories and Notices VoIP Security Alliance NIST 800-58: Security Considerations for VoIP Systems Z1: Zero Day Attacks Z1.2. Affected OSs All operating systems and all software applications are vulnerable to zero day vulnerability discovery and exploitation. Z1.3. CVE Entries This past year several vulnerabilities had public exploits available before the official patch or remedy was issued. Some example CVE entries that reflect this trend are: Microsoft Office 2003 Brazilian Portuguese Grammar Checker
CVE-2006-5574 Z1.4. How to Protect against the vulnerabilities Protecting against zero day vulnerability exploitation is a matter of great concern for most system administrators. To reduce the impact of a zero day attack, follow best business practices such as:
The Experts Who Helped Create The Top-20 2007 List Best Practices for Preventing Top 20 Risks Configure systems, from the first day, with the most secure
configuration that your business functionality will allow, and use automation
to keep users from installing/uninstalling software For whom is the list written? Is it still relevant to publish this document in 2007
for a year's worth of vulnerabilities? Internet scanning data shows that there are still systems
facing the Internet that are not patched for vulnerabilities being exploited
widely. I, for one, will give up working on this project when I no longer
see any Blaster or Slammer worm events triggering on any IDS/IPS in the
customer networks. Even if all the patches have been applied, there are still
zero-days to deal with! This year's list includes a list of defenses for
zero-days. Security professionals get so focused on the "challenge
of the day" that they need reminders, from time to time, of the emerging
threats so they can ask for resources to fight those new threats. Why do you call it the Top-20 when the number of actual
vulnerabilities (CVE's) is much greater that 20? The Top-20 groups critical vulnerabilities into classes so that common mitigation strategies can be applied to protect from an entire class. For instance, a large number of MS-RPC overflows can be prevented by blocking the ports 139/tcp and 445/tcp at the network perimeter.
|
||
|
|
||
www.cxlsecure.com |
||