Re: Russ Cooper's AusCERT Presentation on MS Security Bulletins

• Previous message: Andrew Aronoff: "Re: Submerged Subkeys in W2K"
• In reply to: Jake: "Re: Russ Cooper's AusCERT Presentation on MS Security Bulletins"
• Next in thread: Brett Hill: "Re: Russ Cooper's AusCERT Presentation on MS Security Bulletins"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Fri, 4 Jun 2004 16:21:44 +1200
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

I think what Russ may really be getting at (forgive me for speaking on your
behalf Russ) is that rather than staying in the ever-deepening rut that is
patch management, why not look to a more global solution? There are other
ways around these sorts of problems.

The reliance on patching each and every vulnerability in order to protect
your systems is like leaving your firewall completely open and only closing
a port when someone/thing attempts to attack you via it. Also, the
increasing number of security patches, exploits which become available
before the relevant patch does, along with viruses which spread across the
globe in minutes, means that zero day protection is becoming more of a
priority.

There are a number of vendors starting to offer protection systems that
don't attempt to recognise, or act on, attacks based on the end result,
instead they implement a number of 'policies' which, in conjunction with a
client-side agent, dictate to a system what applications can and cannot do,
at an operational level. Examples of this type of technology are Cisco's
Security Agent
(http://www.cisco.com/en/US/products/sw/secursw/ps5057/index.html) and
Websense' Enterprise Client Policy Manager
(http://www.websense.com/products/about/cpm).

The way these systems work is that, for instance, instead of blocking the
latest worm via signature based detection, the infection attempt is blocked
because an application executed (from within an e-mail or wherever) is
attempting to write to the local disk and registry. These actions are
blocked by default because only a handful of applications are permitted to
write to the disk (eg; Office, Explorer etc), and the new application
'clickme.exe' is not. This approach also takes care of manual hack attempts
by the same means. Is there any reason that IIS needs to be able to access
cmd.exe? No. Even on an unpatched system, this would never become an
issue, because the policy software would block any attempt by IIS to perform
this type of action by default.

I personally think that protection via this type of policy based system is
the ONLY way that the IT industry will succeed in keeping out the nasties in
the long term. Software programmers, like (most of) the rest of us, are
human, and therefore make mistakes. This is just the way it is and there's
not much we can do about it. As software gets more complex and therefore
has more lines of code, the problem is only going to get worse. Time for a
new approach methinks...

Sam.

-----
Patch Automation v6.0 by Mobile Automation, Inc. allows you to quickly
identify and fix all PC's that are exposed to the Sasser worm! Our
solution provides quick and seamless discovery and deployment of all your
PC computer's Microsoft security patching needs. Regardless of where
you're PC's reside (inside the LAN, at home or on the road), Patch
Automation gets the job done. Contact us to learn about our free 30-day
trial version at 800-344-1150 or visit our website at
<http://www.patchautomation.com>
-----

• Previous message: Andrew Aronoff: "Re: Submerged Subkeys in W2K"
• In reply to: Jake: "Re: Russ Cooper's AusCERT Presentation on MS Security Bulletins"
• Next in thread: Brett Hill: "Re: Russ Cooper's AusCERT Presentation on MS Security Bulletins"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]