RE: Need help from a group of experts. I am not a network expert but I play one on tv.

From: Halverson, Chris (chris.halverson_at_encana.com)
Date: 09/11/03

  • Next message: Paul Fishbein: "Question on Corrupted BlackIce Defender Installation"
    To: Randy Opper <ropper@firstsecurityonline.com>, security-basics@securityfocus.com
    Date: Thu, 11 Sep 2003 14:04:53 -0600
    
    

    DSLreports has a good and thorough scanner especially if you register and
    run the slow scan.

    www.dslreports.com

    And GRC has been revamped lately and is quite a bit different and a lot more
    thorough as well..

    Chris

    -----Original Message-----
    From: Roger A. Grimes [mailto:rogerg@cox.net]
    Sent: Thursday, September 11, 2003 1:06 PM
    To: Randy Opper; security-basics@securityfocus.com
    Subject: RE: Need help from a group of experts. I am not a network
    expert but I play one on tv.

    Randy,

    1. Don't worry about the SubSeven attacks. They are random, occur
    everywhere, and are not successful. You'll spend much more effort trying to
    discover who is scanning than it is worth. In many cases, if you were to
    expend the effort and track down the computer, it would lead to an innocent
    person's computer that is compromised. Believe me, not worth the time.

    2. No, preventing file attachments alone won't stop all email attacks. It
    is easy to embed malicious HTML code (scripts, links, etc.) into an email.
    To prevent email attacks, block file attacks and make sure all email is
    plain text only (disable all active content and HTML coding).

    3. Yes and no. Some programs exist that would track the hacker back...but
    again, many times the hacker has just compromised some other person's
    computer and is using that computer to do the hacking. Unless that computer
    has tracking software enabled or you have a search warrant and lots of free
    time to do research and pour over router logs, you aren't going to find out
    the culprit. It is not legal hack back the hacker.

    4. Sonicwall is a good firewall...but any firewall depends on how well you
    have it configured. And a firewall is only one step in your computer
    defense plan. You must also:
    1. Keep patches up to date.
    2. Use AV software.
    3. Make sure OS has tightened security permissions.
    4. Secure email.
    5. Educate your employees and keep them off bad sites and from opening bad
    emails.

    There are several free vulnerability analyzers that will test your firewall
    defenses, including the popular (but not very extensive) testing of Gibson's
    Shields Up test site (www.grc.com).

    Roger

    ***************************************************************************
    *Roger A. Grimes, Computer Security Consultant
    *CPA, MCSE (NT/2000), CNE (3/4), A+
    *email: rogerg@cox.net
    *cell: 757-615-3355
    *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly
    *http://www.oreilly.com/catalog/malmobcode/
    *Author of Apress's upcoming Honeypots for Windows
    ***************************************************************************

    -----Original Message-----
    From: Randy Opper [mailto:ropper@firstsecurityonline.com]
    Sent: Wednesday, September 10, 2003 8:36 PM
    To: security-basics@securityfocus.com
    Subject: Need help from a group of experts. I am not a network expert
    but I play one on tv.

            I am an owner of a small business with less than 25 staff members.
    We
    do not have the budget to afford a tech person on staff. I am a power
    user that has taken over the task of trying to secure our T1 and I am
    unclear of how to handle a few issues.

    1. Each day my Sonicwall firewall is hit buy at least 3 Sub Seven
    attacks. The firewall does say that they are blocked. I have converted
    my users to all use webmail with no attachment download to prevent pop3
    mail virus issues.
                    ? How do you track down these attackers when the ip address
    will not
    resolve and when i trace them they just don't list. I get the ip from
    the firewall log and try to trace route to no avail.

                    ? Does the webmail stop all issues of mail attacks?
                    ? Does a program exist that would reverse hack or fight back
    against
    these attacks daily?
                    ? Does a program exist that could test my network on the
    internet to
    see if the firewall is good enough or will someone tell me how I can
    try to trash it to test it.

    Randy Opper
    First Security
    Almost A Network Admin

    P.S. I also run Zone Alarm Pro at home, Does it work?

    ---------------------------------------------------------------------------
    Captus Networks
    Are you prepared for the next Sobig & Blaster?
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Precisely Define and Implement Network Security
     - Automatically Control P2P, IM and Spam Traffic
    FIND OUT NOW - FREE Vulnerability Assessment Toolkit
    http://www.captusnetworks.com/ads/42.htm
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Captus Networks
    Are you prepared for the next Sobig & Blaster?
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Precisely Define and Implement Network Security
     - Automatically Control P2P, IM and Spam Traffic
    FIND OUT NOW - FREE Vulnerability Assessment Toolkit
    http://www.captusnetworks.com/ads/42.htm
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Captus Networks
    Are you prepared for the next Sobig & Blaster?
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Precisely Define and Implement Network Security
     - Automatically Control P2P, IM and Spam Traffic
    FIND OUT NOW - FREE Vulnerability Assessment Toolkit
    http://www.captusnetworks.com/ads/42.htm
    ----------------------------------------------------------------------------


  • Next message: Paul Fishbein: "Question on Corrupted BlackIce Defender Installation"

    Relevant Pages

    • Re: FW: IP Spoofs in the log - not sure what to do next
      ... >>I am seeing a steady stream of IP Spoofs in a firewall log we track for a ... (from all 10 domains of network security). ... The spoof is being detected by the ... >world's premier event for IT and network security experts. ...
      (Incidents)
    • Re: A poor mans activity check :)
      ... Is a firewall worth the memory it occupies? ... If you are on a closed network and trust all other users not to abuse ... To balance cost against benefit, you need to know something about cost, ... Can a firewall prevent attacks? ...
      (comp.security.firewalls)
    • Re: Ask EU - firewalls
      ... The addresses to use in a "private network" ("your side of the ... but that is a different subject, and this is not how a software firewall ... Yes, routers could be hacked potentially, wireless routers have already ... an important and often weak target for attacks is partly due to its near ...
      (uk.media.radio.archers)
    • Re: IDS on Switched Networks
      ... connecting a network IDS to it would be fine. ... Higher state of alert you know what attacks you are ... If your firewall has NAT turned on, ...
      (Focus-IDS)
    • RE: Need help from a group of experts. I am not a network expert but I play one on tv.
      ... preventing file attachments alone won't stop all email attacks. ... Sonicwall is a good firewall...but any firewall depends on how well you ... Make sure OS has tightened security permissions. ... Almost A Network Admin ...
      (Security-Basics)