>From Bruce Schneier's CRYPTO-GRAM: ** *** ***** ******* *********** ************* The Security Patch Treadmill "Well, in our country," said Alice, panting a little, "you'd generally get somewhere else -- if you ran very fast for a long time, as we've been doing." "A slow sort of country!" said the Queen. "Now here, you see, it takes all the running you can do, to keep in the same place." --Through the Looking Glass, by Lewis Carroll. Last week, the FBI announced that over the past year, several groups of Eastern European hackers had broken into at least 40 companies' websites, stolen credit card numbers, and in some cases tried to extort money from theeir victims. The network vulnerabilities exploited by these criminals were known, and patches that closed them were available -- but none of the companies had installed them. In January 2001, the Ramen worm targeted known vulnerabilities in several versions of Red Hat Linux. None of the thousands of infected systems had their patches up to date. In October 2000, Microsoft was molested by unknown hackers who wandered unchallenged through their network, accessing intellectual property, for weeks or months. According to reports, the attackers would not have been able to break in if Microsoft patches had been up to date. The series of high-profile credit card thefts in January 2000, including the CD Universe incident, were also the result of uninstalled patches. A patch issued eighteen months previously would have protected these companies. What's going on here? Isn't anyone installing security patches anymore? Doesn't anyone care? What's going on is that there are just too damn many patches. It's simply impossible to keep up. I get weekly summaries of new vulnerabilities and patches. One alert service listed 19 new patches in a variety of products in the first week of March 2001. That was an average week. Some of the listings affected my network, and many of them did not. Microsoft Outlook had over a dozen security patches in the year 2000. I don't know how the average user can possibly install them all; he'd never get anything else done. Security professionals are quick to blame system administrators who don't install every patch. "They should have updated their systems; it's their own fault when they get hacked." This is beginning to feel a lot like blaming the victim. "He should have known not to walk down that deserted street; it's his own fault he was mugged." "She should never have dressed that provocatively; it's her own fault she was attacked." Perhaps such precautions should have been taken, but the real blame lies elsewhere. Those who manage computer networks are people too, and people don't always do the smartest thing. They know they're supposed to install all patches. But sometimes they can't take critical systems off-line. Sometimes they don't have the staffing available to patch every system on their network. Sometimes applying a patch breaks something else on their network. I think it's time the industry realized that expecting the patch process to improve network security just doesn't work. Security based on patches is inherently fragile. Any large network is going to have hundreds of vulnerabilities. If there's a vulnerability in your system, you can be attacked successfully and there's nothing you can do about it. Even if you manage to install every patch you know about, what about the vulnerabilities that haven't been patched yet? (That same alert service listed 10 new vulnerabilities for which there is no defense.) Or the vulnerabilities discovered but not reported yet? Or the ones still undiscovered? Good security is resilient. It's resilient to user errors. It's resilient to network changes. And it's resilient to administrators not installing every patch. For the past two years I have been championing monitoring as a way to provide this resilient security. If there are enough motion sensors, electric eyes, and pressure plates in your house, you'll catch the burglar regardless of how he got in. If you are monitoring your network carefully enough, you'll catch a hacker regardless of what vulnerability he exploited to gain access. Monitoring makes a network less dependent on keeping patches up to date; it's a process that provides security even in the face of ever-present vulnerabilities, uninstalled patches, and imperfect products. In a perfect world, systems would rarely need security patches. The few patches they did need would automatically download, be easy to install, and always work. But we don't live in a perfect world. Network administrators are busy people, and networks are constantly changing. Vigilant monitoring does not "solve" computer security, but it is a much more realistic way of providing resilient security. The Ramen worm: <http://www.zdnet.com/zdnn/stories/news/0,4586,2675147,00.html> <http://www.newsfactor.com/perl/story/6798.html> <http://www.securityfocus.com/archive/75/156624> Security patches aren't being applied: <http://www.zdnet.com/zdnn/stories/news/0,4586,2677878,00.html> Best quote: "Failing to responsibly patch computers led to 99 percent of the 5,823 Web site defacements last year, up 56 percent from the 3,746 Web sites defaced in 1999, according to security group Attrition.org." I'm not sure how they know, but is scary nonetheless. The Eastern European credit card hackers: <http://www.sans.org/newlook/alerts/NTE-bank.htm> <http://www.nipc.gov/warnings/advisories/2001/01-003.htm> <http://www.fbi.gov/pressrm/pressrel/pressrel01/nipc030801.htm> <http://www.zdnet.co.uk/news/2001/9/ns-21473.html> Many networks have not patched BIND after January's vulnerabilities were patched: <http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO58302,00.html> The Microsoft attack: <http://www.counterpane.com/crypto-gram-0011.html#7> Patch your apps: <http://www.zdnet.com/zdhelp/stories/main/0,5594,2317459,00.html> Author's note: Every time I write an essay that speaks favorably about Counterpane, I get e-mails from people accusing me of advertising. I disagree, and I'd like to explain. Much of my current thinking about computer security stemmed from years of consulting. I watched as product after product failed in the field, and I tried to figure out why. My conclusions are largely chronicled in my book _Secrets and Lies_, and are reflected in the business model of Counterpane Internet Security, Inc. I don't extol the virtues of monitoring because that's what Counterpane does; Counterpane provides Managed Security Monitoring because I believe it is the future of security. I see monitoring as a way to achieve security in a world where the products are hopelessly broken. Over the next several months I will publish more essays on security, and monitoring is prominent in many of them. I'm not shilling Counterpane; it's just where my thinking is. --- You are currently subscribed to e-gold-list as: archive@jab.org To unsubscribe send a blank email to [EMAIL PROTECTED]