Re: [fw-wiz] Application-level Attacks

From: Adam Shostack (adam_at_homeport.org)
Date: 01/28/05

  • Next message: Keith A. Glass: "Re: [fw-wiz] Multiple firewalls from different manufactureres"
    To: firewall-wizards@honor.icsalabs.com
    Date: Fri, 28 Jan 2005 11:45:55 -0500
    
    

    On Fri, Jan 28, 2005 at 09:24:12PM +0530, Devdas Bhagat wrote:
    | On 27/01/05 18:56 -0800, Crispin Cowan wrote:
    | > Shimon Silberschlag wrote:
    | >
    | > > Today, when attacks are shifting towards using the already open ports
    | > > on the firewall, at the application level,
    | >
    | > It is often said that contemporary attacks are migrating to
    | > application-level attacks. Can someone point me to data backing this claim?
    |
    | Or the reverse, data showing that older attacks were not application
    | layer attacks (packet flooding and the rare ping of death attact excepted).

    I think that older attacks were not application-layer from a business
    perspective; they may have been at one layer or another of the
    technical stack, but they rarely attacked core business
    functionality. I think that a combination of technical factors (more
    money moved through internet systems) and social ones (attackers who
    are in it for the money) combine to make a new type of attack.

    Richard Bejtlich asked some similar questions at:
    http://taosecurity.blogspot.com/2005/01/application-vulnerabilities-are-not.html,
    and I responded at http://www.emergentchaos.com/archives/000840.html:

    > I think that Richard is both right, in that there's no big technical
    > shift, and wrong, in that the attacks will mature. As I said a few
    > days ago, the attackers will become more clever in using the attacks
    > to make money. There's also a perception issue, a blowback, if you
    > will, of the success of database-driven vulnerability scanners like
    > ISS and Nessus. These scanners are very effective at finding
    > instances of the sorts of vulnerabilities that get CVE entries. They
    > are less effective, if they even try, at finding vulnerabilities in
    > your locally developed application. Here tools like those from
    > Kavado and SPI Dynamics do much better. Rather than working from a
    > database of flaws, they inspect a web application for classes of
    > flaw, by running attacks against the site in a controlled way. So
    > the success of the database-driven scanners is that people think
    > that they can run those scanners and learn how an attacker can get
    > in. And that's correct. But no tool will give you a complete
    > list. And so I expect that what the SANS folks are talking about is
    > a rise in attacks against the business infrastructure, rather than
    > the technical infrastructure. If they're not, they should be.
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Keith A. Glass: "Re: [fw-wiz] Multiple firewalls from different manufactureres"

    Relevant Pages

    • RE: Vulnerability assessment for small business
      ... > Say the customer has a firewall...but they don't host any services. ... You might just concentrate in 2 points: the firewall and the workstations. ... The main vulnerabilities for workstations that you could test for are their ... similar technology is not quite effective against targeted attacks. ...
      (Pen-Test)
    • Re: Vuln Scanning software choices
      ... > You basically say, I tested 10 scanners, selected one, but you have to ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Check your website for vulnerabilities ... Cross site scripting and other web attacks before hackers do! ...
      (Pen-Test)
    • RE: [fw-wiz] CERT vulnerability note VU# 539363
      ... Attacks well known, yes. ... Mitigation methods amongst vendors, bleek. ... Interesting that for other, more damaging, vulnerabilities they don't ... In my opinion if a stateful firewall claims it can filter at rate X ...
      (Firewall-Wizards)
    • Re: Zombie spamming from my PC, Symantec/Spybot, nothing detects it!
      ... "The instant you are without a firewall, you're vulnerable,". ... We are_not_ talking about vulnerabilities that may be there but are ... If the IP stack is vulnerable then the firewall ... The problem of IP stack attacks have nothing to do with ...
      (comp.security.firewalls)
    • RE: Vuln Scanning software choices
      ... You basically say, I tested 10 scanners, selected one, but you have to ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Check your website for vulnerabilities ... Cross site scripting and other web attacks before hackers do! ...
      (Pen-Test)