Richard Steinberger, Independent Security Consultant

Proactive vs. Reactive Security

Introduction Most security professionals are aware of the two basic approaches used to deal with security vulnerabilities: proactive and reactive. Proactive approaches include all measures that are taken with the goal of preventing host-based or network-based attacks from successfully compromising systems. Reactive approaches are those procedures that organizations use once they discover that some of their systems have been compromised by an intruder or attack program (e.g., Code Red or Nimda). Proactive Approaches Every modern organization realizes the value of dedicating some resources to the prevention of expensive damages that will likely occur if such preventive measures are not taken. Banks use thick steel and concrete vaults with advanced electronic systems to prevent and detect break-ins. Many companies, from convenience stores to casinos, use cameras to record business activities, the idea being that cameras both deter theft and help identify perpetrators when thefts do occur. Some organizations have started using Intrusion Detection and Response Systems (IDRSes) to try to detect computer intrusions and then activate defensive measures when an attack is detected. All of these examples represent proactive approaches to securing a company's infrastructure. Reactive Approaches Just as every company takes some measures to prevent future business losses, each also has plans in place to respond to such losses when the proactive measures either were not effective, or did not exist. Reactive methods include Disaster Recovery Plans, use of private investigation services and loss recovery specialists, reinstallation of operating systems and applications on compromised systems, or switching to alternate systems in other locations. Having an appropriate set of reactive responses prepared and ready to implement is just as important as having proactive measures in place. A difficult set of decisions needs to be made in deciding how much resources (time, money, people) to dedicate to proactive approaches and how much to reactive approaches. These decisions can be further complicated by decisions about whether to use in-house resources, or to outsource. The remainder of this paper discusses these issues and focuses specifically on computer and network technologies. Proactive and Reactive Approaches for Networked Companies Richard Pethia, the director of the CERT Coordination Center at Carnegie Mellon University, recently stated, "Today's commercial off-the-shelf [software] technology is riddled with holes. The sheer number of vulnerabilities is overwhelming organizations." Pethia is referring to several examples in the recent past. These include vulnerabilities that allowed viruses and worms (hereafter referred to as malware) and other manual and automated attacks to inflict damages costing hundreds of millions of dollars per occurrence. Specific examples are: LoveLetter, a worm that severely clogged mail servers and networks in 2000; Code Red, an aggressive worm that attacked unpatched Microsoft web servers and defaced their main pages; and most recently, Nimda, a worm that spread by several different methods including email and web protocols, and searched for as many as 16 separate vulnerabilities to attack. Add to those examples the recent Distributed Denial of Service (DDOS) attacks, less serious but still expensive virus attacks, exploits directed at unpatched popular firewalls (e.g., Check Point, Cisco Pix), buffer overflows, directory traversal and other more obscure attacks against web servers, and the scope of the problem starts to become quite clear. Since it is unlikely that most software will improve significantly from the state Pethia describes ("riddled with holes"), the only possible approaches are to: 1) repair the holes as soon as vendors confirm vulnerabilities and release patches, and 2) be prepared to respond to successful attacks against systems that have not yet been patched. Although not all system vulnerabilities are the result of exploitable software flaws, most of them are. Ronald

if senior management provides enough resources . organizations that want to be well defended against network attacks need to employ an optimal mix of proactive and reactive approaches. comprehensive approach to patching systems and keeping virus definition files up to date is not going to prevent every network attacker from successfully penetrating a company's network and inflicting damages. expand this database to include all company systems: both desktops and notebooks. Therefore.g. Unless these additional vulnerabilities are discovered and addressed.implemented. Subscribe to security-related email lists from vendors. staff or time to implement more than a minimally reactive and ultimately expensive strategy. Be sure to apply patches to all third-party applications (e. Automated Vulnerability Assessment Even aggressive patching does not "immunize" systems against all network attacks. The first is that regular patching of systems is the single most important thing an organization can do to help defend itself against network attacks. running multiple operating systems and applications from several different vendors on systems located in dozens of locations. So what are the elements of an effective patching strategy? All of the following are important: After installing a new system. a division of the FBI). These staff members frequently connect to unprotected networks where the chances of a virus infection are higher than on their corporate" Other sources of system vulnerabilities include misconfigurations. databases and back office servers. reasonable approaches can still be developed and .Dick.cert. web servers. several . Two of these techniques are discussed below. when combined with patching. accessible at http://www. unexpected interactions between systems. Apply patches as recommended.. Apply patches when recommended. or even hardware failures. Most major software vendors offer these subscriptions for free. stated that about 80% of the issues the NIPC responds to could have been prevented if system administrators had been able to "download a patch and repair their systems. firewalls. provide an even more effective defense. there are other techniques that. In other cases. The support of senior management is crucial. Maintain a database that keeps track of what patches have been applied to the organization's most important systems: the Internet-accessible systems. Specific Proactive Methodologies The single most important thing an organization can do to defend itself against network attacks and malware is to patch vulnerable systems. internal routers. Patching systems is a crucial part of a proactive strategy to defend against network attacks. This task isn't nearly as easy as it sounds. However. Some attackers focus on common misconfigurations or even mistakes that no amount of patching would counteract. There are two extremely important conclusions that may be drawn from the above discussion. or better yet. chief of the National Infrastructure Protection Center (NIPC. install all recommended vendor security patches. stolen or improperly protected passwords. The basic idea of automated vulnerability assessment is that one uses a program. Subscribe to the CERT mailing list. attackers may have identified vulnerabilities but vendors have yet to release a patch. Large companies can own tens of thousands of systems. poorly trained staff. The second conclusion is that even the most aggressive. Most vendors maintain a website that provides the necessary information. Although the size of the task can be daunting. Even medium-sized companies can have thousands of computers. because without it there will simply never be enough money. mail servers) in addition to patching the operating system. they can be exploited through manual or automated attacks and cause very significant network damages. If time and money are available. Ensure that all Microsoft and Macintosh computers are running recent antivirus software and that automated processes are running to regularly update the virus definitions. It is particularly important that antivirus software be regularly updated on portable computers used by mobile workers.

the results can be difficult to interpret. one of the most important concerns staff member use of computers and networks. Independent Security Audit An important additional measure that organizations can take in order to create an even higher level of network security is to engage the services of a professional security consulting company. Independent security assessments also involve the use of manual and automated security tools. nmap. and they often want to bundle many other services with a network security scan. There are many companies that offer on-site consulting services. they may inadvertently introduce a virus or worm into the network. and ISS. Regular vulnerability scanning along with diligent system patching can go a long way to providing a highly effective defense against system attackers. Unless employees are given specific details on what is and is not permitted. A Security Policy No discussion on proactive security would be complete without mentioning the security policy. The advantage of an independent security audit is that when experienced security consultants visit a company and interview critical staff members. . There are several sources of such programs today. and BindView. A complete report is delivered at the end of the audit. and even attacks by disgruntled employees with an insider's knowledge of the systems and networks." the two approaches are really not mutually exclusive. virus and worm outbreaks. attackers use tools very similar to these to identify exposed vulnerabilities in their targets. Unfortunately. denial of service attacks. and Vigilinx. Their flagship scanning service. Most of the Big 5 accounting firms offer this kind of The programs themselves can be complex and not easy to configure. Foundstone and lots of independent professional security auditors. A good source of information for companies wanting to improve their security policies may be found at: http://www. but the price is high.programs. These programs can be very effective at discovering previously unknown system vulnerabilities. One of the best independent companies that offers network vulnerability scanning services is VIGILANTe. CyberCop. This is not just a one-time thing. but several other commercial and shareware tools like Nessus. that are able to systematically scan remote systems and networks and identify security vulnerabilities. including all of the Big 5 accounting firms. the programs themselves need to be regularly updated so they can scan for recently discovered vulnerabilities. it's important to have the scans performed at regular intervals. and also. scans a network internally as well as externally. Their scanning service includes not only many tools they have developed themselves. often to have the networks scanned for vulnerabilities. When using an outsourced scanning service. Examples include: Nessus. While there are many topics that should be covered in such a policy. it can be difficult to find a place on the company network that truly represents an "Internet view" of the company network. In fact. Every organization needs to be prepared for successful attacks (also know as intrusions). it has become critical for every organization to have a workable Disaster Recovery Plan (DRP) as well. ISS. Given today's geopolitical environment. Once every 90 days is suggested as a reasonable minimum scan rate. CyberCop. any company staff member who performs vulnerability scans using these tools has an insider's knowledge of the network and may therefore overlook (or be forced to skip) systems that a hacker would focus on.ietf. Every company needs to decide on a "scan frequency" . or otherwise cause significant damage to system infrastructure. SecureScan NX. the lack of such processes).txt Reactive Security Although the title of this article is "Proactive Versus Reactive Security. indeed. nmap. they can discover critical weaknesses in security processes (or. The recommended approach to automated network vulnerability assessment is to outsource. SAINT. it can be difficult to use these programs. In practice this means hiring an outside company to perform the network scanning and then prepare a well-documented report (containing specific details on how to fix any detected vulnerabilities).

and how much to devote to reacting to intrusions. It's beyond the scope of this article to discuss the specifics of a virus/worm reaction policy. and have networks scanned using vulnerability assessment programs. Conclusion As we have seen. Such attacks can tie up networks. . proactive and reactive security are not opposing forces. Those are the two most important components of proactive security. Every organization needs to find an appropriate balance between how many resources can be devoted to proactive measures designed to deter network attacks. Many of the popular commercial antivirus vendors provide some insights on their websites. However this balance is addressed. cripple mail servers and disable many individual PCs.Of all the "bad things" that can happen on a company's networks. it is strongly recommended that every organization have an effective patching process in place. the most common and most expensive (historically) is the virus/worm outbreak.

Sign up to vote on this title
UsefulNot useful