Search NIST's ICAT
By Peter Mell
Introduction to ICAT
Recent attacks on computer systems have intensified the need for relevant, timely information about the attacks and how to prevent them. The Computer Security Division at NIST's Information Technology Laboratory has created a searchable index containing 700 of the most important publicly known computer security vulnerabilities. This index, called ICAT (pronounced eye-cat), helps the user to search for specific vulnerabilities and identify those vulnerabilities that are applicable to their organizations. ICAT provides a summary of selected vulnerabilities and links to patch information specific to each vulnerability. ICAT is available at: http://icat.nist.gov/. Organizations are advised to use a tool such as ICAT to find and fix the vulnerabilities in their networks.
ICAT enables systems administrators to find patches for a particular system, but it does not provide a general methodology for applying patches in an organization. This ITL Bulletin presents such guidance. ICAT will be most effective when applied using the suggested methodology.
The Common Vulnerabilities and Exposures List
The vulnerability information indexed by ICAT pertains to those vulnerabilities included in a standard vulnerability-naming scheme called CVE (Common Vulnerabilities and Exposures). The CVE standard defines a unique name for every widely applicable vulnerability. The list of vulnerability names and information on CVE is maintained by MITRE and can be viewed at: http://cve.mitre.org. The vulnerabilities in the CVE list are chosen by a prominent board of industry, government, and academia members (http://cve.mitre.org/Board_Sponsors/board.html) from the set of vulnerabilities publicly announced on the Internet. While this board’s mission is to uniquely name all publicly known vulnerabilities, they are currently targeting recently discovered vulnerabilities and older vulnerabilities that are important enough to be included in commercial intrusion detection and vulnerability scanning products.
By leveraging the knowledge and experience of the CVE board, ICAT contains a set of vulnerabilities that are among the most significant. It is important that organizations defend themselves against each one of these vulnerabilities. Since the current list of 700 vulnerabilities is too large for system administrators to manually review, we created ICAT to allow one to search for vulnerabilities applicable to a particular organization’s hosts.
Uses of ICAT
ICAT can help secure a network in a variety of ways, such as the following:
Securing a Host with ICAT
System administrators can use ICAT to find the vulnerabilities in their systems and to find relevant patches that will secure their systems. There are four steps in using ICAT:
Evaluating a Penetrated System with ICAT
When a host is penetrated and the penetration discovered, ICAT can aid system administrators and incident response teams by identifying methods by which a hacker could have entered the host. The related vulnerability entries in ICAT reveal what type of control the attacker could have gained over the machine. Such information can be very useful in restoring a penetrated host.
As with any crime, whenever a computer is penetrated, contact the appropriate legal and investigatory authorities. Also, government-sponsored incident response teams are available to assist in recovering from an attack. Government civilian agencies should contact the Federal Incident Response Capability (FedCIRC) at http://www.fedcirc.gov. Commercial organizations may contact the Carnegie Mellon Computer Emergency Response Team/Coordination Center (CERT/CC) at http://www.cert.org.
Understanding the Output of Security Products
An increasing number of security products identify vulnerabilities and attacks using CVE standard names. Since it uses CVE names, ICAT can be used to research the vulnerabilities and attacks reported by intrusion detection systems and vulnerability scanners. A list of over 25 vendors and computer security organizations using the CVE vulnerability-naming scheme is available at: http://cve.mitre.org/About_CVE/About/othersites.html.
ICAT’s Web-based interface, shown in Figure 1, is easy to use and is well documented on the Web site. In this section, we present a short introduction to and an example of the ICAT search capability. We suggest that you follow this example on the ICAT Web site.
At the ICAT search page, type in a keyword associated with the type of vulnerabilities that you wish to view. Type in the names of software products, operating systems, or devices. For example, type "solaris.” To see only entries containing a particular keyword, type "+" before the word. For example, to see only vulnerabilities pertaining to Solaris systems, enter "+solaris." Include software version numbers to further refine a search. Enter "+solaris 2.5" (note the necessary space between keywords). The resulting search will list all Solaris vulnerabilities with those pertaining to version 2.5 at the top of the list. Avoid upper-case letters when searching ICAT, as that will result in a case-sensitive search.n>
At this point, type “+solaris 2.5” into the search text string box and press the “Seek” button. ICAT will return at least 98 vulnerabilities that are applicable to version 2.5 of the Solaris operating system. Before we discuss the search-results page, press the browser back button and we will refine our search using the drop-down menus. At this point, you should have “+solaris 2.5” typed into the search text box and all drop-down menus should be set to “Any.”
Figure 1: ICAT search page
Use the drop-down menus to refine your search. Each menu permits the user to choose a particular vulnerability attribute. The search engine returns only vulnerabilities that meet the criteria specified in ALL drop-down menu selections. Most of the available drop-down menus and associated choices are shown in Table 1. (See the ICAT documentation for an explanation of the terms in Table 1.)
Table 1: Search filters available in the ICAT drop-down search menus
Besides the drop-down menus listed in Table 1, there is also a menu to search the vulnerability entries by vendor names. There are currently 77 vendors represented in the ICAT vulnerability set.
At this point, we will refine our current query using the drop-down menus. Using the “Related exploit range” menu, select “Remote” to specify that we want to view only remotely exploitable vulnerabilities. Also, using the “Severity” menu, select “High severity” to specify that we want to look only at vulnerabilities that meet ICAT’s definition of high severity (see the documentation for details).
A Sample ICAT Entry
After creating a search query, press the “Seek” button and ICAT will state the number of search results and a list of vulnerabilities that meet the search criteria. Each vulnerability is identified by a CVE number, a one-line description, and the date on which the vulnerability was first published. Browse through the vulnerabilities and click on “CVE 1999-0210.”
As shown in Figure 2, you are now presented with an ICAT entry that summarizes the vulnerability. The entry is not a complete description of the vulnerability because ICAT is not a vulnerability database. Instead, ICAT summarizes the most important features of the vulnerability. This will enable you to quickly determine whether the vulnerability is applicable to your environment. Several fields will be particularly useful:
· the “Summary” line gives a one-line description of the vulnerability,
· the “Vulnerable software and versions” line lists the name and version numbers of the vulnerable software,
· the “Applicable vendors” line lists the vendors whose software is vulnerable to this problem,
· the “Exploitable Range” line tells whether or not a vulnerability can be remotely exploitable, and
· the “Loss type” line describes what kind of privilege the vulnerability can give a hacker.
If the vulnerability is applicable, one will need to find patch information and a more thorough description of the vulnerability. To fulfill this need, ICAT provides one or more references to patch sites or vulnerability database entries that contain more information. Continuing with our example, click on the hyperlink in the row labeled “Reference 2.” This link takes one to the CERT/CC advisory Web site and looks up the particular vulnerability. The CERT/CC advisory thoroughly describes the vulnerability and provides patch information. When you are done browsing the CERT advisory, press the search button on the top menu bar to return to the ICAT search screen.
Figure 2: Typical ICAT vulnerability entry
The Importance of Security Advisories
While ICAT will aid system administrators by identifying recent vulnerabilities, it is not an early warning system. However, it is important that every organization subscribe to an early warning service. To understand why this is necessary, consider what happens when a hacker publishes a widely applicable attack script on the Internet. Overnight, millions of systems can become completely vulnerable to anyone running the script. In such cases, organizations must be notified very quickly.
Several incident response teams send out early warning advisories along with advisories about high-impact vulnerabilities. The advisories describe the vulnerability and how to mitigate or patch the problem. Every organization should monitor these advisories and have a program in place to take appropriate action. Most incident response teams have a mailing list so that new advisories are automatically sent to the appropriate person. Two of the best sources for such advisories are FedCIRC and the CERT/CC.
While important, advisories cover only the most critical vulnerabilities. Consequently, monitoring these advisories is not sufficient. Advisories must be used in conjunction with another tool, such as ICAT, that covers a broader range of known vulnerabilities.
Guidance on Patching Systems
Updating software is one of the most important aspects of maintaining a secure network. It is often overlooked because it seems like a monumental task. For example, how can a single system administrator spend several hours updating each computer at a site with 500 computers? While updating the computers in your network seems overwhelming, this section provides guidance on updating software efficiently. We assume that organizations will be manually installing patches, as this is the most common method today. However, new software is coming to market that allows one to automatically distribute patches throughout an enterprise.
Types of Patches
Patches are small programs that replace error-ridden code with corrected code. The term “patching” is used to refer to fixing security flaws in software. There are three ways to fix security flaws or to “patch a system”: work-arounds, patches, and upgrades. Work-arounds are procedures that a system administrator can use to fix a vulnerability. However, applying work-arounds may limit the functionality of the system being protected. While people generally talk about patching a system to secure it, upgrading to the newest software version is often, but not always, a simple way to ensure that all relevant patches are installed.
Three Steps to Patching a Network
Step 1: Identify Critical Resources
Identify those computers in your network that are critical and update those first. Critical hosts are typically those that are most visible to the outside world, those that store mission-critical data, and those that provide the most critical resources. A typical network’s list of critical resources includes external Web sites, routers, firewalls, e-mail servers, DNS servers, and database servers.
Step 2: Updating Critical Resources
Each critical host should be examined regularly (at least monthly) to determine if any software needs to be updated. All software that an attacker could exploit must be updated regularly. Software in this category includes the operating system, servers or any software that receives network packets, software running as root or administrator, and security software (especially virus checkers). Make a list of such software per host and write down the associated version numbers. Then, find and install the available patches that are to be applied to your version of the software by using ICAT or by visiting the patch site of each vendor for every software package on a host. Each software vendor will have unique instructions on how to install their patches. Be careful to follow their instructions, as patches sometimes must be installed in a strict sequence for the process to work.
Step 3: Updating Non-Critical Resources
Non-critical hosts are obviously less important to protect than critical hosts. However, an attacker may break into a non-critical host and then use that host to attack critical resources. Thus, the level of security of non-critical hosts is important. Since it is a daunting task to update the software on all non-critical hosts in a network, many systems administrators do not regularly update non-critical hosts that are shielded with external and internal firewalls. The firewalls prevent outside network traffic from being routed to non-critical hosts, which helps protect them from attack. This technique works well but it does not protect against all attacks. Specifically, viruses and Trojan horses (especially those transmitted through e-mail that are typically passed through the firewall) can still attack non-critical hosts.
In order to secure non-critical hosts cost-effectively, install firewalls inside your organization to protect groups of non-critical hosts from other parts of the network. This way, if an attacker breaks into a host in your organization, the attacker cannot easily spread their influence to other hosts. Install virus checkers on all non-critical hosts that receive e-mail and configure them to automatically update weekly, if not daily. Lastly, once every year update each non-critical host as defined in step 2. If possible, use a standard configuration for non-critical systems, as this will simplify patching efforts.
Life for systems administrators will be made easier if users are trained to perform simple updates on their own machine. For example, users can be trained to periodically use the Microsoft® “Windows® Update” page to automatically fix security holes in the majority of non-critical host operating systems. Also, systems administrators can advertise that new versions of popular software are available for download. More advanced users will download the new version to get better features and will, as a result, install the latest security patches.
Maintaining Patch Records
We recommend that every organization maintain a Web server containing all patches they want applied to their software. This enables systems administrators to determine which patches have been approved by their organization. Records should be kept on the software and version numbers on all critical systems as well as which patches have been applied.
Automated Patch Dissemination Technology
Enterprise management systems are now becoming available that will automatically patch a set of hosts given commands from a single console. Such technology greatly reduces the time involved in installing patches and will greatly enhance the security of organizations using it. However, some organizations may prefer to wait before using this technology as the available solutions are still emerging technologies.
The ICAT Metabase is a tool that enables one to quickly identify the vulnerabilities that may exist in their systems. ICAT also provides links to relevant patch information. It provides a fine granularity of searching while covering a much larger set of vulnerabilities than is covered by most security advisories. ICAT informs administrators of the most serious threats and enables them to focus patching efforts on those patches that provide the greatest increases in security. ICAT can be an effective tool for improving the security of hosts on a network.
® Microsoft and Windows are registered trademarks of Microsoft Corporation in the United States and/or other countries.
Disclaimer: Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by the National Institute of Standards and Technology nor does it imply that the products mentioned are necessarily the best available for the purpose.