I nsecu r e I T

Introducing
“Insecure IT”
© route66 | Dreamstime.com

Rick Kuhn, US National Institute of Standards and Technology

Hart Rossman, SAIC
Simon Liu, US National Library of Medicine

O
ur goal, of course, is to in this magazine, so we encour­ agement, security measurement,
offer ideas to improve age readers to submit articles and and compliance. With data going
IT security, both by share their lessons with the world. back to 1997, we can also use NVD
looking at ways it can to see trends in IT vulnerabilities
go wrong as well as by covering Understanding over the years.
good practices. As most security Vulnerabilities The NVD data in Figure 1 gives
practitioners and researchers have In keeping with our theme of un­ us some good news and some bad
seen, new technology develop­ derstanding vulnerabilities to im­ news. Clearly, vulnerabilities have
ments nearly always introduce prove enterprise security, we should increased dramatically in the past
a period in which attackers find first take a look at the current state. few years, and the increase has
relatively easy ways to exploit What are the trends in enterprise come from the most severe ones.
weaknesses, followed by a gradual security, and where do we stand to­ But data for the past two years show
closing of vulnerabilities. Wire­ day? We can examine these ques­ a downward trend (2008 figures
less networking is a classic ex­ tions in two ways: attacks and the projected from 10 months of data).
ample—initially more than half of vulnerabilities that attackers tar­ Although it often seems that soft­
home users, and a high percent­ get. The latter bears directly on an ware is full of holes and only getting
age of business users, installed organization’s cost to protect its worse, things really are improving.
802.11 wireless with no security assets because it indicates the ef­ Of course, this improvement is
measures. Some spectacular in­ fort required to patch applications relative to the explosion of new
cidents resulted from widespread and close security holes as they’re vulnerabilities we’ve seen since
ignorance of basic wireless secu­ discovered. Using the US National 2003, and no one responsible for
rity measures, such as cases where Institute of Standard and Technol­ their organization’s IT security
retailers operated online point-of­ ogy’s (NIST’s) National Vulner­ can be happy with the appearance
sale systems with unsecured wire­ ability Database (NVD), we can get of more than 5,000 new vulner­
less. By analyzing vulnerabilities in a sense of where we are today and abilities in a year. Nevertheless,
real systems, we hope to encourage what will be important in the near this is the first two-year decline
readers to not only avoid similar future. The NVD provides fine- in the data, and the decline from
problems in their own systems but grained search capabilities for all 2007 to 2008 was much more dra­
possibly generalize the lessons to known vulnerabilities and is con­ matic than the previous year. It’s
new technologies as they appear. tinuously updated to provide data also important to note that this
Insecure IT will appear regularly for automated vulnerability man­ chart covers data from thousands

24 IT Pro Januar y/Februar y 2009 Published by the IEEE Computer Society 1520 -9202 / 09 / $ 25.00 © 2009 IEEE
Authorized licensed use limited to: NIST Researchers. Downloaded on February 26, 2009 at 10:41 from IEEE Xplore. Restrictions apply.
of products. Digging in to the ginning to turn a corner in their paying off across systems with a
data a bit more, Figure 2 shows efforts to stamp out security-criti- wide install base and significant
the types of vulnerabilities dis- cal bugs, but the data in Figure 2 time in the field. Although this
covered in 2008. We categorized clearly show that newer technolo- past summer’s announcement of
the vulnerabilities in Figure 2 by gies, such as Web services, bring a significant DNS flaw reminds
using the Common Weakness new bugs to catch. us that core protocols and ser-
Enumeration (CWE), which de- vices still require additional scru­
fines a standardized description Implications tiny and research, it’s clear that
of software weaknesses designed What this means for software industry has adopted some of
to provide a common language developers and system admin- the lessons learned and that best
for describing software security istrators is that their vigilance is practices have been proven out.
weaknesses. Using CWE,
developers and analysts
have a standard definition 7,000
of terms for investigating Low
Medium
security problems in archi­ 6,000
High
tecture, design, and code. Total
CWE also helps system ad­ 5,000
ministrators compare tools
that attempt to find security 4,000
weaknesses.
Buffer overflows, long
3,000
the most common security
bug, are now a distant third
behind two Web-based vul­ 2,000
nerabilities, SQL injection
and cross-site scripting. As 1,000
we can see on the left-hand
side of Figure 2, traditional 0
2001 2002 2003 2004 2005 2006 2007 2008
vulnerabilities affecting op­
erating systems and stand­
alone applications have Figure 1. Vulnerabilities by severity. Vulnerabilities have increased in the past
become relatively rare. For five years, but are starting to decline from a high in 2006.
example, the CWE found
only 13 reports of race con­ 1,000
dition exploits (changing a 900
file link between when the 800
700
operating system checks 600
the time permission and 500
when the requested opera­ 400
300
tion is performed). Careless 200
applications of cryptogra­ 100
phy, such as employing a 0
yp v d s
ap ra s
Co ic i ility
ur s
es a O n
or ge er
th Lin y (C ent
at low )
um on i ing
ur tio D ic e es
m eak ign ors
em clo r
Co ent sure
pu je rs

In nd ath lida n
ffi cc av n
t i co l
sit B orm trol
rip e n
SQ ing ors
nj S)
n

weak encryption scheme,

en s sa
tic fol RF

ag is rro
Cr ring con tion
gr e n

fig sue
io

a P a io
su a tr tio

sc er io

tio
In e in rro
t f na th

L i (XS
to uln itio

er ssu

ci es er
at

t v ct

e uff at
ge m
en k S

ce n l es rr

t rr
nf n
h b

an /d e

ec
s
st e ec

d e

used to be common as well,

at ac inj

i
n
rm R nd

qu s m

but the CWE found only

a

N
m

re al
m

e nti

26 examples in 2008. Some

co

Au

s-
sit e

so a

s,
s- ed
OS

Re form

os
ge

old favorites, however, re­

os Cr

Cr
Fo

ile
In

riv

main perennial problems,

,p
ns
Cr

such as poorly configured

io
iss
rm

access control and failure

Pe

to validate input. Ultimate­

ly, it appears that software Figure 2. Vulnerabilities by type (January–October 2008). Today’s most
developers are finally be- common vulnerabilities involve Web applications.

computer.org/ITPro 25
Authorized licensed use limited to: NIST Researchers. Downloaded on February 26, 2009 at 10:41 from IEEE Xplore. Restrictions apply.
 Insecu r e I T

H
However, emerging technolo­ elp comes in a variety of include information security, software
gies and new use cases for es­ forms, from community- assurance, and empirical studies of
tablished systems are providing driven organizations that software failure. Kuhn has an MS in
fertile ground for new t ypes of promulgate best practices and vul­ computer science from the University of
vulnerabilities susceptible to an nerability watchlists such as the Maryland, College Park. Contact him at
ever creative and persistent ad­ Open Web Application Security [email protected]
versar y. Priorities for attackers Project (www.owasp.org) all the
and defenders alike have moved way to you, the reader. We heartily Hart Rossman is a vice president and
to the application space, with encourage your thoughts and look CTO of SAIC. He also serves as a fac­
an emphasis on any thing Web- forward to including your submis­ ulty member with the Institute for Ap­
oriented or net-centric in nature. sions in future columns and as plied Network Security. Rossman has
We can only expect this trend part of our upcoming annual issue a CISSP, a BA in communication from
to accelerate with the prolifera­ focusing on security. the University of Maryland, College
tion of “always on” robust mobile Park, and an MBA from the Univer­
computing platforms ranging Acknowledgments sity of Maryland, Robert H. Smith
from smar t phones to netbooks, We’re grateful to Chris Johnson at NIST for School of Business. Contact him at hart.
and the ever increasing preva­ providing data from the National Vulner­ [email protected].
lence of net-enabled consumer ability Database. As a disclaimer, certain
products in ever y aspect of our software products are identified in this docu­ Simon Liu is the director of information
lives. The walls of the enter­ ment. Such identification doesn’t imply rec­ systems at the US National Library of
prise have become blurred, and ommendation by NIST or other agencies of Medicine. His research interests include
sof t ware developers and system the US government, nor does it imply that IT architecture, cybersecurity, software
administrators will continue to the products identified are necessarily the best engineering, and database and data
experience an evolving land­ available for the purpose. mining. Liu has two doctoral degrees in
scape rife with opportunit y to computer science and higher education
actively manage the risk of the Rick Kuhn is a computer scientist at administration from George Washington
systems they develop, deploy, the US National Institute of Standards University. Contact him at simon_liu@
and operate. and Technolog y. His research interests nlm.nih.gov.

S i l ver Bul le t S e cur i t y Podc a s t

In- depth inter views with secur it y gur us . Hos ted by Gar y Mc Gr aw.

w w w . c o m p u t e r. o r g / s e c u r i t y / p o d c a s t s
Sponsored by

26 IT Pro Januar y/Februar y 2009

Authorized licensed use limited to: NIST Researchers. Downloaded on February 26, 2009 at 10:41 from IEEE Xplore. Restrictions apply.