Thursday, November 15, 2007

Attack Surfaces and The Impending Headache

If you rewind 6 years, the big security pain point for most companies was the disruption caused by worms like Code Red, nimdA, Slammer, Sasser, Blaster, etc. The common thread that made these worms so effective, and thus disruptive, was widely-deployed, unpatched Microsoft products.

Today, the threat of a catastrophic worm of this type is almost non-existent in most modern networks. Microsoft fixed code, we deployed client firewalls and automated patching, and got serious about the security of Internet-facing services. This is good news, but it's also a mixed bag. The attacks didn't stop, they just changed.

Other attack surfaces - web applications and web browsers - started to get attention. And today, an unpatched exploit for IE is worth more to the bot/adware crowd than one for IIS 6. But lately there's been an upswing in exploits against third-party apps that integrate with web browsers. QuickTime, RealPlayer, Acrobat Reader, Shockwave, have all had remote code execution vulnerabilities discovered - and exploited by the bad guys - in the past few months. And this is exacerbated by the fact that at least half of your QuickTime or RealPlayer installs are from folks that installed iTunes or Rhapsody so they could sync their MP3 player at work, so you don't even know that they're out there.

But here's the real teeth-kicker. There was also a vulnerability in Viewpoint Media Player announced last week. With an exploit circulating. And I'll bet that until you read about it being vulnerable, you had never heard of Viewpoint Media Player and didn't have (and perhaps still don't have) any idea where it's installed throughout your network.

So now I have to defend mobile workstations against attacks on software I don't even know is out there? We have a pretty tight workstation management regimen where I work, and I was able to poll our software management tool for Viewpoint. And sure enough, there are a half-dozen installs.

So the picture this paints for the near future isn't pretty: even more time spent trolling mailing lists and RSS feeds for new vulnerabilities, expensive software to inventory your workstations and manage the software that's installed on them, a politically charged fight to take away local administrator privileges anywhere you can, and developing new ways to triage and mitigate vulnerabilities while you wait for some tiny software shop to fix the vulnerability.

Or, you could just focus on the insider threat. ;-)

No comments: