Sunday, October 26, 2008

Microsoft Emergency Security Update (Ouch)
- Can't Patch Control Systems?
- Sockstress TCP Vulnerability Issues Next?

On Thursday 10/23, Microsoft spiced up our lives with a emergency security update (i.e. Microsoft Security Bulletin MS08-067 – Critical) to address a “wormable” vulnerability specifically exploiting “Server” service via remote network remote procedure calls (RPC). Similar to Blaster, unmitigated vulnerable machines can be directly attacked at a network level and immediately, completely compromised. This particular problem is also extremely exploitable once understood; security firm Immunity was able to craft a working exploit within two hours after the release of the security fix.

Don’t Neglect Control Systems- especially Critical Infrastructure. While many business network environments are going through the test and deployment process (not without some problems – e.g. some reported breakage of IPSEC), there’s also a need to be thinking about critical infrastructure as it increasingly is depending on Microsoft based solutions. These type of problems underscore how the network environment and it’s management infrastructure are such an important and fundamental starting point for establishing and sustaining a defined, effective, defense-in-depth security posture. Many may assume that the environments are well separated by definition; however, when you don’t get the control system network right (or at least sufficient), it undermines everything else being done in the name of security.

Beyond layered network segmentation with strict boundary communication controls as a vital starting point, basics that are increasingly expected include protective network chokepoints (firewalls, gateways, etc), and secure information transfer facilities (DMZs, Data Diodes, NIPS, etc). Other important steps often overlooked include basics such as server system hardening and endpoint protection measures (e.g. AV, HIPS, white listing, etc). As more is done in the name of security, the solutions themselves need to be managed and protected in a scalable manner- perhaps with a distinct network security management environment- also with commensurate protection.

Having well formed mitigations in place in control system settings will help directly address risks from emergent security problems such as this and be in a good position when facing related regulatory scrutiny. Typical business network environments are strikingly different – often quite porous and flat, with less definitive countermeasures- and therefore pressing forward with patches and security updates on a regular basis across a substantial IT foot point. These are very different environments only suited for very specific, understood and controlled interactions - having solid network security controls between the two environments is an essential part a well articulated cyber security architecture.

More- DHS Control Systems Security Program, Idaho National Laboratory offers the following tools:

What's Next- Sockstress Issues? How about long standing weaknesses involving TCP network stack vulnerabilities recently gaining attention with "Sockstress" that can be exploited to cause reachable systems to lockup, denial-of-service (DOS)? Indications are that even an attack at one packet per second can take systems down - e.g. dialup Internet. Because this is a state based attack, can't use spoofed packets but even small bot farms are sufficent to carry this attack out.
> Vendors fixing bug that could crash Internet systems Computerworld, Norway - Oct 2, 2008
> SecurityNow! Episode 164: Sockstress - Oct 2, 2008

No comments: