COUNTERPANE INTERNET SECURITY, INC. HELPS CUSTOMERS RESOLVE THE SANS TOP 20 VULNERABILITY EXPLOITS

Counterpane's Managed Security Monitoring (MSM) service directly attacks non-existent or incomplete logging processes

CUPERTINO, Calif., October 23, 2001 - Counterpane Internet Security, Inc., developer and leading provider of Managed Security Monitoring (MSM), today announced its MSM service provides significant minimization of vulnerabilities caused by incomplete or non-existent logging on customer's enterprise-wide network information security systems. SANS, the System Administration and Network Security Institute recently announced the release of their newly revamped consensus security vulnerabilities list. The SANS document lists the 20 most frequently exploited misconfiguration and software vulnerabilities on the Internet. SANS' Vulnerability "G6" is about logging, and speaks directly to Counterpane's MSM service. MSM also assists in reducing the risks introduced by a number of the other SANS Top 20 vulnerabilities.

Based on input from a multitude of security experts and enterprise system administrators, including contributions from Counterpane, the SANS document lists the 20 most frequently exploited misconfiguration and software vulnerabilities on the Internet. The report, including documentation on how to decide whether or not a customer's information system is vulnerable and how to mitigate the risk, is available at: http://66.129.1.101/top20.htm.

"Changing system configurations and validating software patches, especially in today's complex network and applications environments, is a time-consuming process. This is one of the reasons why so many people who "know better" don't always update their system," says Bruce Schneier, co-founder and Chief Technology Officer for Counterpane Internet Security, Inc. "But real-time monitoring can improve your security substantially by allowing you to let Counterpane notify you immediately when attackers look for these problems."

Fixing every computer vulnerability is impossible. Even installing every available security patch is unreasonable to expect. Realizing this, last year SANS issued their "Top 10" list of security vulnerabilities. "If you can't fix everything," they suggested, "at least fix these. If you plan on fixing everything, fix these first."

"Prioritizing vulnerabilities is important, and I am pleased that SANS recently updated their list. The 'Top 20' includes generic problems for system administrators, like incomplete logging and leaving unnecessary services running, as well as specific bugs in Windows and UNIX software," says Tina Bird, Security Architect for Counterpane. "I urge system administrators to use the list to prioritize their security activities."

"In order to detect anything, you have to read the system logs in real time, 24 hours a day and seven days a week. Read them once a week, and you'll find out what the hackers did. Read them consistently, and you'll find out what the hacker IS DOING," advises Schneier. "Real-time monitoring is what Counterpane does, and this is why so many companies use us as an integral part of their security."

If you're already a Counterpane monitoring customer, you can immediately protect yourself from some of these vulnerabilities by increasing the number of devices being monitored by Counterpane. In addition to the firewalls, routers, and intrusion detection systems that you already monitor through Counterpane, you should consider adding authentication systems (RADIUS, TACACS, or SecurID servers; Windows domain controllers), enterprise backup servers, Windows domain controllers, and network monitoring servers to your monitoring infrastructure, by pointing their log data to the Counterpane Sentry. The more you monitor, the better job you do at catching intruders.

If you've deployed intrusion detection systems and anti-virus code, be sure that your detection signatures are up to date and tuned to your environment. If you've written custom signatures for your IDS, informing Counterpane about them (via the Secure Operations Center or your Technical Services Representative) will enable Counterpane to monitor them more effectively.

Counterpane recommends:

If your organization depends on default installations of operating systems (especially any of the Windows variants, Solaris, Linux, and Cisco IOS), and on popular but frequently misconfigured applications like sendmail and BIND, verify your logging configuration even before you work on removing the vulnerabilities.

In addition to the firewalls, routers, and intrusion detection systems that you already monitor through Counterpane, consider adding:

• authentication systems, (RADIUS, TACACS, or SecurID servers; Windows domain controllers)
• enterprise backup servers,
• Windows domain controllers, and
• network monitoring servers to your monitoring infrastructure, by pointing their log data to the Counterpane Sentry.

DISCLAIMER: This information is provided for informational purposes and without warranty. Counterpane recommends consulting your security policy when responding to this or any security related event. Counterpane also recommends testing any vendor recommended countermeasures prior to their deployment in a production environment.

LATE BREAKING NEWS: COUNTERPANE INTRODUCES "COUNTERPANE PROTECTED" SERVICE TO AUGMENT ITS POPULAR MANAGED SECURITY MONITORING

New level of service will assist customers in proactively addressing the evolving information security threat environment with a focus on the SANS Top 20 vulnerabilities

See http://www.counterpane.com/pr-protected.html for more information.

About Counterpane

Counterpane Internet Security, Inc. is the developer and leading provider of Managed Security Monitoring. Established in 1999 by entrepreneurial expert Tom Rowley and security technologist and author Bruce Schneier, Counterpane addresses the critical need for increased levels of security services. Centered on a network of sophisticated Secure Operations Centers, staffed by expert security analysts, the Company provides 24x7 monitoring, as well as penetration detection and response. Counterpane's Managed Security Monitoring services enable e-business to be conducted safely. The company is funded by Accel Partners, Amerindo Investment Advisors, Inc., Bessemer Venture Partners, Dell, Deutsche Bank, Goldman Sachs, and Morgan Stanley Dean Witter Equity Fund. Headquarters are located at 1090 La Avenida, Mountain View, California, USA. Phone: 650-404-2400, Fax: 650-903-0461, Website: www.counterpane.com.

###

Counterpane is a trademark of Counterpane Internet Security, Inc. All other companies, brand names or products are trademarks or registered trademarks of their respective companies.

The SANS Top Twenty Vulnerabilities

Reference: http://66.129.1.101/top20.htm

Vulnerabilities for all operating systems

G1: Default installs of operating systems and applications
G2: Accounts with No Passwords or Weak Passwords
G3: Non-existent or Incomplete Backups
G4: Large number of open ports
G5: Not filtering packets for correct incoming and outgoing addresses

Be sure that your Counterpane Technical Services representative has up-to-date information on your network topology. Something as simple as a text list of your internal address ranges will help us identify internal vs. external traffic through your perimeter systems, and help us identify spoofing attacks.

G6: Non-existent or incomplete logging
G7: Vulnerable CGI Programs

Vulnerabilities for Microsoft Windows Systems

W1: Unicode Vulnerability (Web Server Folder Traversal)
W2: ISAPI Extension Buffer Overflows
W3: IIS Remote Data Services exploit
W4: NetBIOS: unprotected Windows networking shares
W5: Information leakage via null session connections
W6: Weak hashing in SAM (LM hash)

Vulnerabilities for UNIX Systems

U1: Buffer Overflows in RPC Services
U2: Sendmail Vulnerabilities
U3: BIND Weaknesses
U4: r Commands
U5: LPD (remote print protocol daemon)
U6: sadmind and mountd
U7: Default SNMP Strings