RE: IDS and Spywares

From: Justin Shore (justin.shore_at_sktbcs.com)
Date: 10/17/05

  • Next message: Omar A. Herrera: "RE: IDS and Spywares"
    Date: Sun, 16 Oct 2005 22:55:28 -0500
    To: "Matt Jonkman" <matt@infotex.com>, "Omar A. Herrera" <omar.herrera@oissg.org>
    
    

    There is an extremely easy solution to this problem. Remove local administrative rights from users' PCs. There is absolutely no reason whatsoever for a user in a corporate environment to have local admin rights if they aren't actually a sysadm. In a home environment there is absolutely no reason for a user to be a local admin all the time. Remove this capability for the residential-grade OSs and make users utilize the Run As feature of XP and 2000. Better yet make this process automatic like in OS X. There is no reason in this day and age for users to need constant local admin access, if they need local admin access, period.

    Justin

    PS==> IIRC Network Magazine, Network Computing, or some other such magazine echoed this exact sentiment in the most recent issue when they tested a couple dozed xIDS implementations. 100% of their spyware compromises were directly caused by local admin access.

    > -----Original Message-----
    > From: Matt Jonkman [mailto:matt@infotex.com]
    > Sent: Thursday, October 13, 2005 10:08 AM
    > To: Omar A. Herrera
    > Cc: focus-ids@securityfocus.com; 'vipul kumra'; dhruv_ymca@yahoo.com;
    > neelabhsharma1@gmail.com
    > Subject: RE: IDS and Spywares
    >
    > I strongly disagree that IDS is not effective with spyware. I grant that
    > hids is a good thing. But maybe I'm from the old school of thought, that
    > you can't trust any system to police itself. That system is corruptable,
    > and thus needs outside oversight. Security 101.
    >
    > That is exemplified by the number of worms that kill AV on their
    > victims, or alter hosts files so they can't get new dats, etc. The
    > victim sits there warm and fuzzy because they paid the 40 dollar
    > Symantec tax, and they're blasting spam to the world, none the wiser.
    > The code to do these things is easil available, and surely will be used
    > by spyware once they feel a hit to their pocketbook. If there's money to
    > be made they'll do it.
    >
    > Matt
    >
    >
    >
    >
    > On Wed, 2005-10-12 at 22:52 +0100, Omar A. Herrera wrote:
    > >
    > > > -----Original Message-----
    > > > From: vipul kumra [mailto:vikumar2@yahoo.com]
    > > >
    > > > Hi Dhruv,
    > > >
    > > > I agree with what you have said... but then there is
    > > > no 100% fool proof method for detecting anything. As
    > > > far as I've seen iPolicy Networks IDS protection is
    > > > quite strong... :)
    > >
    > > Why use a hammer with a screw? Network based detection is able to deal
    > > pretty well with known network threats, but some sort of malware
    > (including
    > > some Trojans and spyware) are customized or modified and used with
    > specific
    > > targets. You won't detect those with generic signatures or network based
    > > anomaly behavior.
    > >
    > > hIDS/hIPS ar much more effective in detecting and preventing these
    > attacks.
    > > If there is any anomalous activity to be detected or any forbidden
    > action to
    > > be blocked, it will be host based, not network based. To start, there is
    > a
    > > considerable number of ways that these threats can travel through the
    > > network (e.g. web scripts, P2P messaging, email attachments, trojanized
    > > downloaded software)and they might not even used the network to get to
    > their
    > > target (Sharing of USB memory sticks, CDs, DVDs,...)
    > >
    > > Personally I doubt that it is even worth trying to catch this kind of
    > > malware with a network based IDS or IPS. I would rather use the time for
    > > polishing hIPS/personal firewall policies.
    > >
    > > I think this is what Dhruv meant.
    > >
    > > Regards,
    > >
    > > Omar Herrera
    > >
    > >
    > > ------------------------------------------------------------------------
    > > Test Your IDS
    > >
    > > Is your IDS deployed correctly?
    > > Find out quickly and easily by testing it
    > > with real-world attacks from CORE IMPACT.
    > > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > > to learn more.
    > > ------------------------------------------------------------------------
    > >
    > --
    > --------------------------------------------
    > Matthew Jonkman, CISSP
    > Senior Security Engineer
    > Infotex
    > 765-429-0398 Direct Anytime
    > 765-448-6847 Office
    > 866-679-5177 24x7 NOC
    > my.infotex.com
    > www.offsitefilter.com
    > www.bleedingsnort.com
    > --------------------------------------------
    >
    >
    > NOTICE: The information contained in this email is confidential
    > and intended solely for the intended recipient. Any use,
    > distribution, transmittal or retransmittal of information
    > contained in this email by persons who are not intended
    > recipients may be a violation of law and is strictly prohibited.
    > If you are not the intended recipient, please contact the sender
    > and delete all copies.
    >
    >
    > ------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it
    > with real-world attacks from CORE IMPACT.
    > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    > ------------------------------------------------------------------------
    >
    >
    > --
    > No virus found in this incoming message.
    > Checked by AVG Anti-Virus.
    > Version: 7.0.344 / Virus Database: 267.12.0/134 - Release Date: 10/14/2005
    >

    -- 
    No virus found in this outgoing message.
    Checked by AVG Anti-Virus.
    Version: 7.0.344 / Virus Database: 267.12.1/136 - Release Date: 10/15/2005
     
    ------------------------------------------------------------------------
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it 
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
    to learn more.
    ------------------------------------------------------------------------
    

  • Next message: Omar A. Herrera: "RE: IDS and Spywares"

    Relevant Pages

    • RE: IDS and Spywares
      ... I strongly disagree that IDS is not effective with spyware. ... Network based detection and BLOCKING is the most effective way I've seen ... This is layer 2, detection. ...
      (Focus-IDS)
    • Re: Theory Question
      ... We have an IDS watching over our network, ... There is no such thing as a box on a network that 'cannot be hacked.' ... His code could attach an IP stack to the external interface ... the reader of this e-mail is not the intended recipient, ...
      (FreeBSD-Security)
    • Re: IDS and NMS
      ... Start by designing and installing a network. ... Next, a more detailed view of the network is required, so a NMS is ... the network administrator wants to see what ... This is where integrating the IDS console into the NMS makes sense. ...
      (Focus-IDS)
    • Re: "false positive" inanity
      ... So Mr. Snyder is asking for an IDS that does not need to be configured? ... maximum control of his/her network. ... attack. ... > assuming that it is not an intrusion. ...
      (Focus-IDS)
    • Re: Secure Network Design (DMZ, LAN, etc)
      ... I'd like one outside the firewall and one ... I assumed I could make the first IDS ... should I have the IDS listening on the 192.168.1.0/24 network as well (web ... >Since the whole world will need access to your web servers, ...
      (Security-Basics)