[Full-Disclosure] Authorities eye MSBlaster suspect (long reply)

From: Chris DeVoney (cdevoney_at_u.washington.edu)
Date: 08/30/03

  • Next message: Nick FitzGerald: "Re: [Full-Disclosure] RIP: ActiveX controls in Internet Explorer?" 
    To: <full-disclosure@lists.netsys.com>
Date: Fri, 29 Aug 2003 15:49:43 -0700

    On Friday, August 29, 2003 12:22 PM, morning_wood
    [mailto:se_cur_ity@hotmail.com] wrote:

    > shouldnt these measures been in place already?
    > instead of rushing on a per-incident basis, you should be
    > implimenting these things anyway. IMHO is prudent to expend
    > some overkill during lockdown and penetration testing on a
    > system when it is deployed or periodically tested, so there
    > is a reduction during a per-incident basis.

    IMHO, security is as heterogenic as the types of people or entities
    connected to the Internet. Your suggestion befits a single deployment or a
    range of entitles. But when adding the complexity of multiple locations,
    heterogeneous systems, multiple ownership, and an open environment, security
    is more complex than written policy, training, automated tools, lockdowns,
    or penetration testing.

    In short, yeah, what you suggest is true but now let's talk about a part of
    the real world that is examined infrequently.

    Private (and non-profit) enterprises can operate under a different set of
    rules than an educational institution. By nature, a university network is an
    open resource. Although segments of that network are cordoned off (and I
    live in part of that cordoned segment), the vast majority are
    interconnected. Additionally, faculty, staff, students, alumni, and even the
    public, can use our resources. Research and sharing is a high priority.

    As to the latest exploit, measures were already in place. On the medical
    side, HIPAA already covers making best efforts to protect patient privacy.
    For example if a machine in the medical center is compromised, it is removed
    immediately from the network as soon as the compromise is discovered.

    For the remainder of university campus, if any machine compromises the
    network (as in virus/worm source), its network port is disable until the
    machine is repaired. But all it takes is one machine and you have generated
    the incident which requires the response.

    Now consider the task of maintaining patches on 20,000 hosts (5,000 in
    health sciences; 15K through the rest of the Seattle campus). For those
    systems running Windows, the versions ranging from Windows 95 to Win2K+3. At
    best, patching is an Aegean effort.

    To complicate matters the central computing group for the university owns
    only a modest fraction of this number. More than 4/5 are owned by the
    various autonomous schools and departments in the university, each
    responsible for their own patching and maintenance. Nor are funds available
    to replace all old machines or operating systems so proclamation cannot be
    issues that that the old (and normally less secure) systems shall vanish.

    And just what can be locked down? Systems, both workstations and servers, in
    the medical center have a strong best-practices policy. They live in a
    moderately-secured area of the network. But what about anything else that
    can touch them? The systems of doctors, students, and staff at home?

    How about a visiting doctor's, professor's, or even a salesman's machine?
    Computers in labs where a professor and a few assistants labor on problems.
    Students' notebooks? Each has been a live infection point. And I can
    overwhelm this list with other actual examples that defy a homogenous
    security policy.

    Recall that security balances against usability and resources. While
    portions of the network can be secure, an entire educational network cannot
    be secured without size of an expenditures typically the domain of private
    corporations. The size of expenditure well beyond the desire demonstrated by
    state legislatures nationwide (and parallel government bodies worldwide).
    Nor can the network be secured to an exceptionally low incident-level
    without depriving your employees (faculty & staff) and customers (students
    and the public) of those resources.

    And upon that subject of resources, like many other publicly-funded entities
    our budget has been reduced. We are doing more with less money. No
    complaint, businesses do it during downturns. So shall we.

    But my group's job enables investigators to conduct research that results in
    improving medical treatment. Did I mention that every dollar spent comes
    from your pocket? So, may I ask, it is more desirable to spend your money on
    improving response to human disease or improving response to electronic
    distress. It's strictly an allocation of finite resources, that dollar gets
    spent on one thing or the other. Which do you choose?

    > get educated, take some responsibility for you high paying job,
    > and quit trying to lay the blame elsewhere.

    I take your statement rhetorically since zero research was conducted on my
    bona fides. Nor will I breach netiquette in responding to a personal basis.

    I will claim my education is expansive, I do take responsibility, my
    compensation is considered moderate in the academic world.

    And the blame is laid where the blame is due. No one can present
    successfully to me the argument that these incidents favor us (the
    corporation/institution/public/whatever) by forcing us to be secure. It is
    arguing that thieves favor individuals by forcing home owners to install
    locks.

    I will, however, suggest an expanded horizon in the real-world before making
    blanket applications of security policy. We may be part of the same solar
    system of computing but different institutions have absolutely different
    orbits.

    cdv

    ------------------------
    Chris DeVoney
    Clinical Research Center Informatics
    University of Washington
    cdevoney@u.washington.edu
    206-598-6816
    ------------------------

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Nick FitzGerald: "Re: [Full-Disclosure] RIP: ActiveX controls in Internet Explorer?"

    Relevant Pages

    • Re: Cyberterrorism [was: Re: NSA wiretap, Friday night]
      ... Otherwise the ISP is just ... My most recent contacts were in response to appeals here by "imhotep" ... got an abuse complaint for email coming from our network, ... system on a server that saw all traffic coming from the customer side ...
      (comp.os.linux.security)
    • Re: What security package for SBS?
      ... I have a secure Windows network. ... I also have a secure MacMini and on occasion a secure Ubuntu. ... With a business class firewall stripping crap off all incoming traffic and properly implemented security policies in addition to giving your users absolutely no admin rights, there is no reason to believe you can't create a secure Microsoft Network. ...
      (microsoft.public.windows.server.sbs)
    • Re: Wifi Security
      ... Then add in good practices and secure those endpoints! ... I have changed the security to WPA2 with a 128bit ... and attempt to break into her wireless internet connection. ... part of her network cannot do WPA2 but you actually want her network to ...
      (microsoft.public.security)
    • R: SLA Security
      ... Maybe this one good parameters for a Security SLA? ... > response from downstream networks. ... > educational network. ...
      (Security-Basics)
    • RE: One computer two different networks
      ... Internet connection and one an internal secure connection tempts one ... You have a private network with no Internet for the reason that you ... in Information Security. ...
      (Security-Basics)