[Dshield] Security assurance for less obvious platforms

[Darren Spruell]

Not every organization has to deal with them, but in certain sectors
there exist a large number of systems that fall outside of the primary
support model and frequently outside of the mainline area of focus for
information security assurance. I'm thinking of platforms found in
production and manufacturing lines, Industrial Control Systems (ICS)
and SCADA settings, and very old database and other gargantuan
applications, of the flavor that don't run Windows, Linux, Solaris, or
other platforms that are the primary focus in most IT organizations.
(Open)VMS, OS/400 and i5/OS, VxWorks, QNX and other systems of these
type come to mind. I'm sure that there are dozens of others that I
haven't heard of.

Many of these systems are connected to the internal network, are
frequently not segmented away from the rest of the network, and are
outfitted with TCP/IP stacks. Worse, most of them run ancient and
arcane network services, were never deployed in a hardened fashion,
and are administered by system operators who have no clue about
security or the need for it. Some of these guys are living in a
fantasy world where they think the only threats out there are viruses
and worms which target Windows PCs, and equate that to the belief that
they're free from threat of compromise. For many of these systems, I'm
of the belief that the vendors themselves have no idea the security
risks that the platforms can face and I suspect that they are so far
behind more modern platforms that an endless supply of vulnerabilities
would be discovered if researchers cared more about them.

If you work in a setting where these types of systems and others like
them are prevalent, and you know they're not getting the kind of care
and feeding they probably should - what resources exist for an
organization to get them up to a reasonable level of assurance outside
of general best practice?

The kind of resources I'd like would be hardening guides; patch
program/procedure recommendations; vulnerability advisory sources;
vulnerability analysis utilities or guidelines that have some
capabilities for them; best practice guides, and so on. Resources from
parties outside of the direct vendors are particularly nice.

I'm not comfortable with the answer I've heard in the past, which is
that most attackers don't have the skills needed to compromise these
systems. Even if that were the case, many times these platforms are
used for purposes so critical that the effect compromise would have is
either incredibly costly or a matter of life and safety in some
settings (financial, utility, aerospace, medical, etc.)

DS