UNIT 10

MALICIOUS CODE ATTACKS

FLAWS IN SOFTWARE

Read and memorize the following words:

software quality – качество программного обеспечения

to settle – решать, принимать решение

to install patches –устанавливать «заплаты»

out-of-the-box settings – установки вне блока(корпуса)

lack of discipline – отсутствие порядка

to seek alternative products-искать альтернативные изделия

to take advantage – воспользоваться преимуществом

software flaws –недостатки программного обеспечения

to prevent–предотвращать

up to date – своевременно

 

There is considerable debate about software quality and the responsibility of software producers to develop and sell more secure software. There are also numerous perspectives on developer responsibility. Some developers believe that security is the responsibility of the organizations that deploy their prod­ucts. Many users, however, believe that software products should be secure right out of the box. It is not likely that this debate will end any time soon.

One thing that is certain is that organizations cannot wait for the debate to be settled. More than 3,000 vulnerabilities have been discovered during the last three years. Every month, about 200 new software vulnerabilities are discov­ered. This means that organizations need to keep up to date about vulnerabilities in the products they use. Once vulnerabilities are announced, steps must be taken to install patches or seek alternative products for high-risk applications.

Some malicious code attacks did not have to happen. In early 2003 when the Oracle SQL Slammer worm struck, a patch had been available for six months that would have prevented the worm from attacking a system. Many people cast blame for Slammer on system managers for not having patched their systems. There is some validity to that position, but keep in mind that Slammer or a similar worm could have been written to take advantage of vulnerabilities that the patch did not address. With 200 new vulnerabilities being discovered every month, there is always something for an attacker to take advantage of that can cause your organization pain and discomfort.

The main thing to keep in mind is that software flaws and vulnerabilities are chronic. They will never go away. This is one of the conditions that make computer security an ongoing and never-ending process. This point should be constantly reiterated to managers and computer users.

Another one of the major causes of vulnerable systems is how computers and networking devices are configured when they are installed. Several years ago, it was determined that the out-of-the-box settings for many operating systems introduced an unnecessary weakness into a computing environment. Although the out-of-the-box settings allowed the system to function adequately, the set­tings were not optimized for security.

Ongoing configuration is generally weak in most organizations. There is often a lack of documentation regarding how many computers and network devices are configured once they have been installed. Far too many organiza­tions do a poor job of maintaining documentation about their technology. This is caused, in part, by a lack of discipline in IT departments. Another cause of poor documentation is a common trend of understaffing IT departments. Far too many of the problems caused by weak configurations and slowness in patching software products to reduce vulnerabilities can be tied back to inade­quate IT staffing.

Information on security-focused configurations is not difficult to find, and there are several sources of information. Manufacturers can provide advice through their help desks or system documentation.

Questions:

What are organizations debating about?

What do some developers believe about security?

How many vulnerabilities have been discovered during the last three years?

Name all major causes of vulnerable systems.