RE: [Full-Disclosure] Learn from history?

From: Alerta Redsegura (alerta_at_redsegura.com)
Date: 05/06/04

  • Next message: Steve Boone: "RE: [Full-Disclosure] Consistent browser crash on standard site?" 
    To: "Full-Disclosure" <full-disclosure@lists.netsys.com>
Date: Thu, 6 May 2004 11:04:07 -0500

    > SMB generally arent worrie about running simething like WIndows Update
    > automatically, other than the fact that it uses bandwidth that they are
    > paying for.

    Down here, most SMB use Internet flat-rate plans, whether it be Dial-up or
    cable.
    So that's not an issue. The issue here is *knowledge and awareness*, but not
    connection.

    > > >> 2. If a patch cannot be installed, find workarounds
    > > >That does not work with the workarounds customer need to facilitate
    > > >life (security <> easy of use, remember)
    >
    > Work arounds donmt have a place in any sort of open user environment
    > they take too much time to deploy and impose to many problems on the end
    > user and also need to be undone after the problem is fixed. Way way way
    > to much work there.
    >

    In the case of a Windows-based network and excepting W98 and WME boxes, all
    updates and upgrades can be --and should be-- deployed from 1 machine.
    Workarounds generally have ultimately to do with registry modifications,
    which is just a matter of writing a script and deploying it. (Of course,
    after evaluating cost-benefit, testing, where *not* to install it, etc.)

    > > >> 3. If it is a port-related threat, find out if such ports are
    > > >> in use, and if not, make sure they are closed.
    > > >Once the virus is on the LAN it can do whatever it wants.
    > >
    > > Hello! Block the ports BEFORE they hit the LAN. Proactive security.
    > > Also, do us a favor and don't propogate the ***!
    >
    > What is all this rubbish about. Roughly 15% of all assests attached to a
    > networks around the world are unaccounted for!! So how are you meant to
    > protect yourself against them. Example - firewall blocking all ports,
    > some one comes in with a laptop thats infected and bobs your uncle you
    > left scratching your head wondering why your firewall didnt work. lmao
    > that mi friends is the soft center that the black hat looks for!!
    >

    It is also a matter of well articulated policies.

    Assumptions
    ----------------
    1. You have an anti-virus/e-mail/content solution which updates signatures
    files automatically from the Internet and deploys them automatically to all
    the boxes in the network, with central alerting capabilities.

    2. You have a firewall solution at the point connecting to the
    Internet/other networks.

    3. The laptop is infected with a worm that spreads through specific ports.
    ----------------

    Now, someone comes in with a laptop that is infected and connects to the
    LAN.
    When it starts trying to infect external addresses, the firewall catches it.
    If it tries to infect local machines, the anti-virus software catches it.
    Supposing you have adequate alerting procedures in place, in both cases, the
    source of the infection is easy to detect.

    Iņigo Koch
    Red Segura

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Steve Boone: "RE: [Full-Disclosure] Consistent browser crash on standard site?"
    • Quantcast