Stardate 2006. The enterprise will be attacked by virtual malware and machine marauders that cloak themselves like
a Klingon Birds-of-Prey. They'll go where they've rarely gone before, targeting Linux and open source applications, says IT security expert Dennis Moreau, CTO of Configuresoft Inc. So, raise your shields and arm your machines with open source weapons.
In this interview, Moreau predicts the top IT security threats in 2006, opines on 2005's most important IT security developments, compares Linux and Windows security and lists his favorite open source security tools.
What new IT security threats will emerge in 2006?
Dennis Moreau: Attacks will begin to exploit address translation subversion in order to hide from scanners. Attacks will also begin to exploit current weaknesses in virtual machine technology. These approaches will challenge both configuration lockdown and current trusted computing technologies.
Fortunately, new processor features will be introduced to help address this issue.
Do you think that hackers will target Linux and open source apps more in 2006 than they have in the past?
Moreau: A recognized hacker trend is that hackers are beginning to attack application (rather than operating system) vulnerabilities and are beginning to attempt to hide exploit network traffic in legitimate application traffic.
We are also seeing a growing adoption of Linux as a corporate/federal application platform.
Taken together, these trends do seem to indicate that Linux and open source applications will increasingly be a target of exploit attempts.
What were the big security stories in 2005?
Moreau: They were the growing unwieldiness and eventual inadequacy of black list-centric detection strategies: Most current antivirus, intrusion-detection, intrusion-prevention, vulnerability-assessment and patching technologies depend on having signatures -- descriptions of the technical footprint -- of attacks, viruses and vulnerabilities. These lists are known as 'blacklists' because they are used to recognize 'bad' phenomena.
Then, there was the demonstrated plausibility of effectively hiding malicious code by controlling address translation (e.g., ShadowWalker).
Finally, there was the weakening SHA-1 (Secure Hash Algorithm) by 11 binary orders of magnitude on the heels of a previous weakening of MD5, due to related differential cryptographic approaches. Since these approaches yielded lowered upper bounds on hash collisions, doubts have been raised about what future analyses will reveal. Some concern has been raised concerning SHA-256, as well. Secure hashing is a foundational technology of trusted computing techniques.
Could you explain why blacklists aren't working so well?
Moreau: The explosion in the number of vulnerability targets, the number of different kinds of exploits and the emergence of polymorphic techniques have driven the size of these lists and their rates of evolution upward.
A recent response to this has been the introduction of heuristic techniques that can learn and recognize good and normal behavior without signatures. Unfortunately, these approaches have a high false-positive rate, inadvertently blocking legitimate, sometimes mission-critical, behavior.
For even current exploit technologies -- technologies for which we have effective single-system defenses -- our enterprise defense strategies have been forced to evolve to just keep up with exploit volume, exploit adaptation and the over-riding need to conduct business in the face of growing threats. Keeping up will continue to be challenging.
What's going on with malicious code cloaking?
Moreau: At this year's DEFCON [a hackers' conference] hackers presented a new approach to hiding malware by directly controlling memory references.
The problem is that once a system or application was infected with this kind of exploit, the hidden malware would be impossible to detect with existing scanning techniques because memory references from the scanning software would be presumably mapped around the malware code. If you can't scan the code, the signature, however accurate, is useless. Truly scary!
What threats emerged in 2005 that will grow more dangerous in 2006?
Moreau: More attacks will exploit application vulnerabilities. More attacks will hide in legitimate network traffic, making detection, prevention and mitigation more difficult. Also, more attacks will exploit kernel vulnerabilities.
Do hackers target Microsoft products most often simply because it has the largest user base?
Moreau: The very large number of Windows developers steeped in intimate internals has represented a large exploitable knowledge base. Also, the large degree of commercial penetration of the commercial IT infrastructure makes Windows a particularly attractive target.
The requirement for deep legacy compatibility over a large surface area (lots of APIs) has limited how far-reaching and how fast-paced Microsoft's hardening and application security efforts could be. The very large number of commercially significant applications that are tied to legacy platform configurations will present an ongoing security issue for the enterprise.
From your experience, how does Linux stack up against Windows in security robustness and built-in security features?
Moreau: Linux has integral log forwarding. Linux has a smaller amount of legacy exposure to carry forward. A broad spectrum of strong OSS security capabilities exist at the system level, although these are not necessarily built in. Commercial variants are often more capable.
At enterprise scale, however, commercial security solutions and not open source dominate the market. This may represent a cultural problem for Linux-centric open source efforts addressing large-scale IT environments.
Many aspects of Regulatory Compliance automation -- such as ITIL, COSO, CoBit process automation, CMDBs;configuration management databases; availability/fault management -- have no OSS solutions adequate to address enterprise-scale IT environments.
Microsoft's Software Assurance licensing increasingly includes technologies aimed at meeting these enterprise needs at scale.
Which open source security tools should all admins have in their security toolboxes?
Moreau: For comprehensive host-based firewall capabilities: IPTables, Dante and IPFilter. Snort provides strong network intrusion detection capabilities. TCPdump and ethereal are network sniffers. For automated vulnerability assessment, there are Nmap and Nessus. Firewalk checks firewall rules consistency. CIS Benchmarks is right for security configuration scoring. NIST XCCDF leverages authoritative security checklists at the platform independent level. The Mitre OVAL reference assessment tool leverages authoritative security checklists at the system-specific level. Last, but not least, Bastille Linux is the OS hardening tool.
In addition to security features within Linux, these tools can be directly mapped to CoBit compliance control objectives and ISO17799 best practices and represent 'should haves'.
Linux and open source security learning guide
Bastille Linux: Hardening your machines
Introduction to CoBit for SOX compliance