RE: IDS and Spywares
From: Omar Herrera (oherrera_at_prodigy.net.mx)
Date: 10/17/05
- Previous message: Jason: "Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
- Maybe in reply to: neelabhsharma1_at_gmail.com: "IDS and Spywares"
- Next in thread: Dhruv Soi: "RE: IDS and Spywares"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Justin Shore'" <justin.shore@sktbcs.com>, <focus-ids@securityfocus.com> Date: Mon, 17 Oct 2005 13:52:35 +0100
Hi Justin,
> -----Original Message-----
> From: Justin Shore [mailto:justin.shore@sktbcs.com]
> Sent: Monday, October 17, 2005 4:55 AM
> To: Matt Jonkman; Omar A. Herrera
> Cc: focus-ids@securityfocus.com; vipul kumra; dhruv_ymca@yahoo.com;
> neelabhsharma1@gmail.com
> Subject: RE: IDS and Spywares
>
> There is an extremely easy solution to this problem. Remove local
> administrative rights from users' PCs. There is absolutely no reason
> whatsoever for a user in a corporate environment to have local admin
> rights if they aren't actually a sysadm. In a home environment there is
> absolutely no reason for a user to be a local admin all the time. Remove
> this capability for the residential-grade OSs and make users utilize the
> Run As feature of XP and 2000. Better yet make this process automatic
> like in OS X. There is no reason in this day and age for users to need
> constant local admin access, if they need local admin access, period.
I totally agree with, you, and I use privilege restrictions a lot (O.S.
based privilege restrictions it is). But usually the rights of common users
(enforced by the O.S.) are enough to create some harm. That is, we don't
just want to restrict their privileges but also make sure they don't shoot
themselves in their feet by abusing those privileges.
A common example: some users are able to navigate on the web. From a
FW/nIDS/nIPS point of view those users might just need ports TCP 80 and 443
open for outbound communication, but from an O.S. point of view you can only
put very general restrictions (i.e. if they are able or not to open sockets
from network communication).
Malware can easily work in this restricted environment, so you need
something else. A PFW that restricts outbound connections to certain
applications or hIPS that is able to stop any unauthorized software are
examples of how you can extend the security provided by O.S. privilege
restrictions. Host based IDS are also able to detect execution of
unauthorized software
Kind regards,
Omar Herrera
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
- Previous message: Jason: "Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
- Maybe in reply to: neelabhsharma1_at_gmail.com: "IDS and Spywares"
- Next in thread: Dhruv Soi: "RE: IDS and Spywares"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
