Six Network Security Resources You Should Be Watching
Coming in to work to find the machines on your network hacked is a sure-fire recipe for a bad day.
How could it happen? After all, as a good administrator, network security is at the fore of your efforts, and you update all your applications and run every software patch that comes you way as soon as you've tested them.
One possibility is that you fall victim to a so called "zero day" exploit: an attack that exploits a (usually newly discovered) vulnerability in your software for which no software fix has been released.
Since there's no fix to apply, defense against zero day exploits usually consists of ceasing to use the affected software until a security fix is available, or at the very least disabling the specific features which cause the vulnerability.
But that ignores a very important question: How do you find out about the vulnerability in the first place? If you don't know an app is vulnerable, how will you know to disable it? Every hour that it's running is an hour during which it could be hacked. Waiting for the developer to inform you that a vulnerability has been found in its software is too risky because such a vulnerability may be well known in the hacker community for days before the developer becomes aware of it.
If you are serious about your organization's security then you have to go and find out about any vulnerabilities that are discovered in the software you are running for yourself. And since it's rare that a day goes by without some new vulnerability or other being discovered, that means you need to monitor the right sources of information 365 days a year.
What are the best sources of information? Security/hacker web sites and mailing lists dedicated to the full disclosure of software vulnerabilities as soon as they are discovered. Security/hacker? The reason it's been put like that is there is little doubt that hackers and security professionals are both interested in the same thing: getting information about newly discovered vulnerabilities as early as possible, so they can take steps to close the security hole or exploit the vulnerability — depending on which side they are on — before the other side reacts.
Here are some of the best resources you should make it your business to be familiar with:
An impressive computer security web site, bought by Symantec in 2002. The site has an extremely up-to -date vulnerability database, searchable by vendor, software title and version, detailing the nature of the vulnerability, any exploits which take advantage of it, and the fixes that are available.
The United States Computer Emergency Readiness Team is a partnership between the Department of Homeland Security and the public and private sectors. Its Cyber Security Bulletins provide weekly summaries of new vulnerabilities and also give information about patches when available
Packet Storm describes itself as being "dedicated to supporting the computer security community without bias," and proclaims that it supports full disclosure. This doctrine the opposite of security through obscurity says that by letting everyone know about vulnerabilities, good guys have the opportunity to do something about them (even though bad guys can exploit them.) It levels the playing field, ensuring that administrators are not at an informational disadvantage, or have to hang out in dubious hacker chat rooms to discover news of vulnerabilities. The front page also runs a survey asking visitors "What is the most fun to exploit?" Possible answers include buffer overflows, SQL injection flaws, cross site scripting flaws … you get the idea. In other words, there's little doubt that the site is designed to appeal to all types of people good and bad, which is all the more reason why you should check its pages regularly to find out what's been discovered.
Like Packet Storm, Milw0rm is another site which operates under the philosophy of full disclosure, offering both up-to-date lists of vulnerabilities, and an archive of shellcode. (That's the short piece of code which is loaded onto a victim machine as the payload of an exploit, and which, when executed, often results in the hacker getting a command shell.) Again, if you want to know what black hatters know, you need to visit Milw0rm frequently.
Bugtraq Mailing list
Subscribe at http://www.securityfocus.com/archive
To keep right up to the minute with vulnerabilities as they are discovered, you need to join one or more vulnerability mailing lists. Bugtraq is probably the best known and respected: part of SecurityFocus, it's a moderated list which includes vulnerability announcements, advisories or warnings, and patches, workarounds and fixes.
SANS @risk Weekly Roundup
Subscribe at http://www.sans.org/newsletters/risk/
Another excellent resource, the SANS Institute weekly @RISK roundup newsletter gives a comprehensive list of newly discovered vulnerabilities during the preceding 7 days, including the software versions affected, what the result of the vulnerability is, and what can be done to mitigate the risk. Very useful.