Re: [Full-disclosure] MS05-039 spreading was: AV Reaction Times of the latest MS05-039-based Worm Attacks
trains_at_doctorunix.com
Date: 08/25/05
- Previous message: Simon Marechal: "Re: [Full-disclosure] HOWTO: Crack Oracle Security like a peanut?"
- In reply to: Andreas Marx: "[Full-disclosure] AV Reaction Times of the latest MS05-039-based Worm Attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 25 Aug 2005 07:22:46 -0500 To: full-disclosure@lists.grok.org.uk
Quoting Andreas Marx <gega-it@web.de>:
>
> Of course, we know that the problem related to MS05-039 is not
> primary an AV problem, but something for (Personal) Firewalls,
> IDS/IPS systems and a better patch management. :-)
>
This is sometimes hard to sit through. It is an access control
problem. The rule of least access was violated by the IT staff of the
infected organization. There was no valid business reason for end user
X and end user Y to have access to one another's ports 135-445.
Organizations that used some kind of NPAR technology to cut the network
into zones sucessfully limited the spread of the worm from one machine
to a few hundred machines.
We routinely cut our networks into (up to) 4000 zones, putting
(typically) one end user machine on each zone. The solution is not to
patch more often (that is necessary but not sufficient).
The solution is not to make LSA, DCOM, or whatever safe (can't be done
and you are kidding yourself if you are waiting for that MS patch)
The solution becomes apparent only after the network team decides to
adopt the attitude of "Windows cannot be made safe, and I cannot remove
windows from my network, and all my laptop users are bringing worms in
every day, and every idiot user out there is clicking on attachments
that look interesting, and it's not going to get any better."
It is an Access control problem. If anybody on this list has not heard
the principle of 'first block everything, then allow only what's
necessary' it would surprise me greatly.
And yet we see IT organizations slapping in PCs by the boatload without
thinking, "maybe I have allowed too much access".
I throw this out for discussion and flames.
tc
-------------------------------------------------
Email solutions, MS Exchange alternatives and extrication,
security services, systems integration.
Contact: services@doctorunix.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Previous message: Simon Marechal: "Re: [Full-disclosure] HOWTO: Crack Oracle Security like a peanut?"
- In reply to: Andreas Marx: "[Full-disclosure] AV Reaction Times of the latest MS05-039-based Worm Attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
