Re: Should webservers, eg. IIS 6 have anti--virus installed on them?
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa_at_pacbell.net)
Date: 07/22/05
- Previous message: Adrian Marsden: "RE: Should webservers, eg. IIS 6 have anti--virus installed onthem?"
- In reply to: Wozny, Scott (US - New York): "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
- Next in thread: Wozny, Scott (US - New York): "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 21 Jul 2005 15:41:33 -0700 To: "Wozny, Scott (US - New York)" <swozny@deloitte.com>
Do I want A/V as another onion layer skin? You betcha.
Will I have a heart attack if I see the tale tell sign of Trend's red
'you have a virus' on a server or workstation? Oh you bet. Why?
Because the goal is that the bad stuff never makes it in that far. If I
see anything other than an Eicar test virus up there it means my onion
layers are broken and I need to trace back what happened and beef up my
defenses.
The goal is that a/v never kicks in because the bad stuff is all out there.
What's the saying ..... "know thy systems"?
Wozny, Scott (US - New York) wrote:
>You're absolutely right. It's part risk analysis, part cost/benefit
>analysis. You either choose to accept the risk of pushing out defs
>blind because it costs too much in manpower and lost time OR you vet the
>sigs and accept the cost of doing so in manpower and that you'll be
>exposed for longer but reduce the chance of a repeat of that fateful
>Friday, as rare an occurrence as it is, OR you do something in between
>that fits for you.
>
>However, _all_ the blame is not on the vendor (though it was a massive
>screw-up on their part). There's nothing in that software suite that
>_requires_ all defs be pushed immediately, and it used to be that no-one
>did. Most of us have just gotten too comfortable with def updates
>because problems with sigs so rarely happens. If "other vendors"
>patches didn't have so many unforeseen side effects, more people would
>push them without testing as well because we're all over worked and we
>make those cost / benefit decisions every day.
>
>The concern I had which I wanted to address was with a perceived
>implication that it's best to leave AV off IIS boxes (the question this
>thread is addressing) because it regularly contains new, possibly
>untested code and IMHO that, by itself, does not present a sufficient
>risk offset the numerous other benefits AV provides (no matter how
>_sure_ you're IIS server is locked down). The event in question had, at
>best, a tenuous cause / effect relationship with mitigating factors
>which could have prevented it that organizations _chose_ to ignore. It
>doesn't matter that everybody does it. Everybody got busted. So we
>dust ourselves off and figure out the best way to deal with it. In some
>situations, that's to make a conscious choice that enough controls are
>in place that AV adds more hassle than it's worth and in _some_
>situations that's to take at the servers that are administered by
>professionals and put an additional line of defense on them in case
>these administrators turn out to be human and make a mistake that AV
>might be able to catch. If the term "defense in depth" is unappealing
>and too fuzzily defined for you, think of it as "infosec redundancy".
>:)
>
>Scott
>
>-----Original Message-----
>From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>[mailto:sbradcpa@pacbell.net]
>Sent: Wednesday, July 20, 2005 7:57 PM
>To: Wozny, Scott (US - New York)
>Cc: Harlan Carvey; focus-ms@securityfocus.com; jeff@shawgo.com
>Subject: Re: Should webservers, eg. IIS 6 have anti--virus installed on
>them?
>
>
>Can you honestly say that you vet every dat file that comes your way in
>the same manner that your do security patch testing on all of your
>systems? Show of virtual hands on this list... how many honestly have
>the resources to put the same testbed energy into a/v sig updates as
>they do patch deployment? Test it on lab settings/virtual
>system/canaries in the office and then roll it out... for all your sized
>
>operations? There are some firms that indeed do this. There are many,
>however, that do not. I personally don't have the resources [nor the
>a/v deployment set in such a way] that I can do this. Nor do I feel
>that the few issues that I have had with allowing a/v to immediately
>deploy versus the issues I might have if I don't automate the process
>mean that I'm changing my methods.
>
>But...obviously neither did several railroads in Japan, a few Japanese
>newspapers and other folks that were also affected and obviously didn't
>vet the a/v sigs either.
>
>As often as they are updating these days, the risk of not pushing them
>out as they come in has to be weighed with the potential for issues when
>
>not testing them. I'm sorry but this was a A/V dat sig update that
>affected the XP sp2 the hardest of all. Trend admitted they screwed up.
>
>As fast as that nailed and flatlined my entire network... there's no way
>
>that should have left Trend's doorstep and been pushed to boxes. It was
>
>an immediate CPU freeze up that had me booting into safe mode to get my
>machines back in working mode.
>
>Even Microsoft has expanded their patch testing process to include
>external more real life testers. Sorry, but I do not accept that this
>dat file freeze up was in any way an acceptable screw up ...and
>obviously and unfortunately neither does Wall Street and analysts
>...etc....
>
>All I'm saying is we've [I've?] grown complacent and many of us forget
>that potentially every hour on the hour new untested code is on our
>boxes. Add that to your risk factors and decide accordingly.
>
>Show me an a/v software and this year few of them haven't had their own
>security issues as well.
>
>It's called a bit of risk analysis... what's the benefit....what's the
>risk. And no matter what size of firm you are... we all play the game,
>we just come to different conclusions. Ergo this thread which asked...
>what's the risk of webservers having a/v on them?
>
>I think the answer is.. it depends. There may not be a best practice
>and instead each one of us needs to perform our own risk analysis and
>decide accordingly [I really don't like 'best practices' as a concept
>anyway - what's best for me... won't be best for the guy down the
>street]
>
>Nah... Dos 5, Wordstar and Lotus 123. Now those were killer apps... I
>still have a Compaq Portable luggable in our museum that boots if you
>want to try it. In the meantime, excuse me while I go update my
>Firefox..again and ensure my Greasemonkey is on whatever version that
>isn't vulnerable.
>
>Wozny, Scott (US - New York) wrote:
>
>
>
>>Are you actually condemning AV because administrators blindly trusted
>>the AV sig updates they received and pushed them to live systems
>>
>>
>without
>
>
>>testing them at all? Who, precisely, wasn't doing their due diligence?
>>
>>
>>Computing is complicated. If one isn't implementing and following
>>procedures to protect oneself from screw-ups in other organizations one
>>depends upon, then we all really ought to roll back to DOS 6.22 and
>>
>>
>stay
>
>
>>there.
>>
>>If I misunderstood your implication, please correct me. Otherwise, I
>>intend to keep AV in my bag of tricks.
>>
>>Scott
>>
>>-----Original Message-----
>>From: focus-ms-return-8320-swozny=deloitte.com@securityfocus.com
>>[mailto:focus-ms-return-8320-swozny=deloitte.com@securityfocus.com] On
>>Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>>Sent: Wednesday, July 20, 2005 3:32 AM
>>To: Harlan Carvey
>>Cc: focus-ms@securityfocus.com; jeff@shawgo.com
>>Subject: Re: Should webservers, eg. IIS 6 have anti--virus installed on
>>them?
>>
>>
>>Not to mention ..if you were anywhere near a live system at 3:45 p.m
>>Pacific time on a certain Friday when someone didn't do their due
>>diligence and flatlined every single one of my workstations and even
>>nailed my server....you might make you look at antivirus in a new
>>light....
>>
>>A/V is just introduction of new... possibly untested code on a machine
>>.... possibly every hour on the hour....
>>
>>http://silverstr.ufies.org/blog/archives/000844.html
>>
>>Harlan Carvey wrote:
>>
>>
>>
>>
>>
>>>So far, this is has been an interesting discussion,
>>>but beneath it all, I'm seeing what I think is a
>>>disturbing trend.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>Antivirus needs to be part of the overall security
>>>>plan for all Windows machines - it's just part of
>>>>the cost of doing business - the cost of the
>>>>software, maintenance, and CPU overhead.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>I'm seeing absolutist statements like the one above,
>>>and it bothers me.
>>>
>>>If a web server is just a web server, the content is
>>>served to the client, going outbound...not coming into
>>>the server. If the purpose of the system is to take
>>>known-good pages (from the owner) and make them
>>>available to the public (over ports 80 and 443), then
>>>what is the point of A/V software?
>>>
>>>I'm seeing a lot of people say that A/V software is
>>>necessary, and that it's part of a 'holistic' or
>>>'defense in depth' approach, but this really sounds
>>>more like Dilbert's "buzz word bingo" than anything
>>>else.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>Certainly, servers need to be patched, firewalled,
>>>>isolated, and locked down. Additionally, code
>>>>should be audited for vulnerability to XSS and SQL
>>>>injection.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>Yes, without a doubt. This is all part of good
>>>administration.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>None of these things are perfect. Not that AV is
>>>>perfect, but it is another layer of defense - making
>>>>it part of that "Defense in Depth" strategy.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>But, defense against what?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>AV has grown into more than just defense against
>>>>viruses. It is often effective against worm code,
>>>>and some AV has identified common hacking tools
>>>>(e.g. - NetCat) as something that doesn't belong on
>>>>most systems. You can argue the viability of this
>>>>move, but most companies - if they have a security
>>>>team - have less that 0.1% of their machines which
>>>>maybe should have it there.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>"something that doesn't belong on most systems"? How
>>>does it get there? If a web server is properly
>>>configured and managed, then perhaps the most likely
>>>means of infection is from the administrator
>>>himself...and in such cases, A/V software is useless.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>AV needs to be part of the cost of running Windows -
>>>>for better or for worse.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>Again, I'm seeing this as an approach that's being
>>>parrotted, rather than thought out. I'm not saying
>>>that MS products are perfect...not at all. But what I
>>>am saying is that using proper administration
>>>principles, those that have been espoused for well
>>>beyond the past decade, paying additional money to add
>>>yet another software package to a web server simply
>>>doesn't make good business sense.
>>>
>>>Why pay more money for another application to
>>>maintain, and another set of logs that you're not
>>>reviewing anyway?
>>>
>>>Several years ago, Dave LeBlanc set up an IIS 4.0
>>>server in accordance with simple common sense, and it
>>>was not vulnerable to Code Red...a full year before
>>>Code Red was launched.
>>>
>>>When Code Red was launched, A/V software would not
>>>have helped. However, if the .hta script mapping had
>>>been disabled the day before Code Red came out, then
>>>guess what? No problems.
>>>
>>>Should systems have A/V software in place?
>>>Maybe...depending upon the function and purpose of the
>>>system. Does it make sense? Does it make good
>>>business sense? What's the business
>>>reason/justification for installing another software
>>>package (for $$) over disabling current functionality
>>>(which doesn't cost anything)?
>>>
>>>Harlan
>>>
>>>
>>>
>>>------------------------------------------
>>>Harlan Carvey, CISSP
>>>"Windows Forensics and Incident Recovery"
>>>http://www.windows-ir.com
>>>http://windowsir.blogspot.com
>>>------------------------------------------
>>>
>>>----------------------------------------------------------------------
>>>
>>>
>-
>
>
>>>
>>>
>>>
>>>
>>----
>>
>>
>>
>>
>>>----------------------------------------------------------------------
>>>
>>>
>-
>
>
>>>
>>>
>>>
>>>
>>----
>>
>>
>>
>>
>>>
>>>
>>>
>>>
>>-----------------------------------------------------------------------
>>
>>
>-
>
>
>>---
>>-----------------------------------------------------------------------
>>
>>
>-
>
>
>>---
>>
>>
>>This message (including any attachments) contains confidential
>>
>>
>information intended for a specific individual and purpose, and is
>protected by law. If you are not the intended recipient, you should
>delete this message. Any disclosure, copying, or distribution of this
>message, or the taking of any action based on it, is strictly
>prohibited. [v.E.1]
>
>
>>-----------------------------------------------------------------------
>>
>>
>----
>
>
>>-----------------------------------------------------------------------
>>
>>
>----
>
>
>>
>>
>>
>>
>
>
>
-- Letting your vendors set your risk analysis these days? http://www.threatcode.com --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Adrian Marsden: "RE: Should webservers, eg. IIS 6 have anti--virus installed onthem?"
- In reply to: Wozny, Scott (US - New York): "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
- Next in thread: Wozny, Scott (US - New York): "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
