Vulnerability Assessment: A Component-Based Design using CORBA

First, I apologize for the sporadic outages over the past week. A vortex of hardware and ISP problems combined to give me a horrible connectivity problem. The ISP issues seem to have been resolved, and new hardware is on order.

Last night I finished a paper titled Vulnerability Assessment: A Component-Based Design using CORBA. This paper discusses a different approach to designing VA tools with the goal of improving reliability and efficiency. Current VA tools are configured and designed in a way that makes them rather inflexible, leading to efficiency and management problems. Designing the system using a component architecture - CORBA, in this case - the system can be more flexible and handle connectivity issues more gracefully. Also available online is a presentation of the paper's main topics that I gave a few weeks ago at GWU. The paper is not intended to be a complete solution to the problems mentionted, but rather an introduction to the problems and a framework for a solution. Comments are welcome.


What is Common Criteria

I received the following from a friend today, via email, that I thought warranted some attention:
know anything about this?

Provided in the link is a set of "Common Criteria" tools developed by Apple. Common Criteria (which is actually shorthand) is a buzzword that many people in IT have heard, but is a topic they don't have much exposure to. For that purpose, I figured I would provide a brief outline and resources for further research.

The "Common Criteria for Information Technology Security Evaluation" is essentially a set of guidelines that can be applied to computers for certification as "secure." I put that word in quotes for a reason: every good analyst knows that meeting certain predefined and broad guidelines doesn't guarantee system security. Additional monitoring and analysis by security analysts should be performed in order to evaluate the unique security issues that apply to each system. However, these guidelines can play an important role in assessing risk within an organization. The CC guidelines are tied closely to "Certification and Accreditation" (often called "CnA") of mission-critical US government systems. Performing CnA's is required by the Federal Information Security Management Act (FISMA) of 2002, and is one item that every government agency is graded on each fiscal year. The formula provided by FISMA employing CC isn't perfect, but it's a step in the right direction.

I haven't used the tools identified in the link, so I'm speculating here, but it appears that this tool will evaluate the system against the Common Criteria established by NIST, the NSA, and a host of other foreign government bodies.

Analyzing and implementing the Common Criteria can itself be a career, and I haven't even scratched the surface here. However, I recommend security professionals familiarize themselves with Common Criteria Project concepts, where they are used, and what their goals and implications are. This is information that will come in handy, in a practical or theoretical sense, at some point in many InfoSec career paths.


On Vulnerability Assessment, and Internet Reconnaissance

Today I will be discussing two completely unrelated topics, both involving very recent events.

Vulnerability Assessment
Yesterday, I was privileged to have a project of mine presented as part of the SANS WhatWorks series. Bill Geimer, my boss and the manager of the contract, presented along with the other engineer involved, Brent Duckworth. The presentation was an excellent outline of some of the challenges in implementing an enterprise-class vulnerability assessment/management system from a high level, as well as highlighting how to run such a project smoothly and properly. This was certainly one of the most successful InfoSec projects I've been involved with, and I was happy to see it highlighted to a global audience. By the close of the webinar, over 800 attendees had connected. I was pleased to see so many individuals interested in our work.

The presentation is still available online. If you're interested in effectively using vulnerability assessment tools in an enterprise or business environment, I highly recommend you listen to it. I will include a much more technical entry on designing effective vulnerability assessment tools in a later entry, once my research on Component-based Design of Vulnerability Assessment Tools with CORBA is complete in a few weeks. I would also be more than happy to answer any questions regarding the project here, but the reader should understand some specific questions may reveal sensitive information and will be deferred.

Internet Reconnaissance: TCP/1025
Moving on to a more serious and technical subject, one network that I monitor has seen an enormous increase in TCP/1025 scans. The network saw nearly 2.6 million requests for this service over the 24-hour period yesterday, from 10,820 unique sources, compared to just a few thousand in previous weeks. According to IANA, this port is reserved for "network blackjack," but I doubt 10,820 people suddenly got the internet gambling+hacking bug in the same day. This was mentioned yesterday in the Internet Storm Center's diary. If anyone has any helpful information on this, please contact the handlers at the ISC so this information can get compiled and analyzed quickly. This is the kind of activity that can precede (and has in the past) a huge attack that affects everyone.