RE: A question for the list...
From: Rob Shein (shoten_at_starpower.net)
Date: 05/21/03
- Previous message: Keith W. McCammon: "Re: A question for the list..."
- In reply to: Mark Ng: "RE: A question for the list..."
- Next in thread: Gary Flynn: "Re: A question for the list..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Mark Ng'" <laptopalias1-mark@informationintelligence.net>, "'Kevin Reardon'" <Kevin.Reardon@oracle.com>, <incidents@securityfocus.com> Date: Wed, 21 May 2003 13:02:58 -0400
Comments Inline
-----Original Message-----
From: Mark Ng [mailto:laptopalias1-mark@informationintelligence.net]
Sent: Tuesday, May 20, 2003 3:56 PM
To: Kevin Reardon; incidents@securityfocus.com
Subject: RE: A question for the list...
<snip>
>Are owners of long term compromised systems really "innocents"? If people
have left systems compromised with
>worms that are attacking other networks and reports have been ignored for
significant amounts of time, then
>surely the compromised party are guilty of negligence ?
<snip>
Consider this...with respect to the "long term compromised systems" there
are two sets of parties. One set is responsible for the operation and
maintenance of the systems. The other party (which is much larger in size
typically) is made up of the users of that system. Do you think that the
general employees of a company aren't "innocents" if their sysadmin isn't
keeping up on patches?
And what if the reason the patches haven't been applied yet is because of a
change control process that takes hours of paperwork and weeks of waiting
time per patch per box? I've seen it take six weeks in some corporations to
get changes approved, and as much as an entire day's worth of work to
complete the change control request to put one patch on one box. When you
consider that the company in this example had dozens of machines offering
services to the outside world, it's a bit easier to understand how machines
go unpatched. And who is some outside party with an axe to grind to
determine their innocence or guilt in the first place?
>Perhaps rather than a strikeback system, something similar to ARIS could be
used to send automated alerts to
>ISP's warning them that x number of their customers have the latest worm.
In the event that ISP's are non-
>compliant, and don't deal with their infected customers, peering points
could agree to enforce this upon ISP's.
I like this idea, but I think that it might not have much effect. Already
there are way too many large ISPs who do nothing when they are notified of
blantant abuse (see under www.proxyprotector.com for a great and typical
example), so I don't see what they'll do about their customers being
infected with worms. After all, their customers pay them, and you
don't...so why would they give their customers a hard time over the
complaints of outsiders? And the more infected hosts they have on their
net, the less incentive they have to try to do anything, as the problem
simply becomes too large to be worth tackling by them.
----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.
To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------
- Previous message: Keith W. McCammon: "Re: A question for the list..."
- In reply to: Mark Ng: "RE: A question for the list..."
- Next in thread: Gary Flynn: "Re: A question for the list..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
