Security Basics mailing list archives
RE: Purging Blaster.worm
From: "Jay Woody" <jay_woody () tnb com>
Date: Fri, 15 Aug 2003 13:20:49 -0500
From one "firewall guy" to another: If you got hit from the inside, then you are part of the problem as well.
Obviously, if I am strictly responsible for the perimeter firewall, then I would find this statement ludicrous. Is there a place for internal firewalls? Of course. That has never been up for debate or even previously addressed in this post. There is a need for IDS, etc. internally, but depending upon the setup of your company, that may be unattainable. However, back to the central point, patching was not unattainable.
These days there is no such thing as the trusted zone. A firewall (and IDS) on your internal desktop network would have been beneficial in securing the "core," and alerting you to the presence of the worm internally.
Not to be stupid here, but if you needed an alert concerning this worm, you must sleep in a cave. Concerning future issues, perhaps you are right and that may be something for a different thread. But concerning the issues addressed in THIS thread, you had ample warning and ample time to get a patch down. If you were patched than having all this preventative technology was cool, but pretty freaking unnecessary. I could buy external firewalls, IDS, etc. I could buy internal firewalls, IDS, etc. I could buy anti-virus and download cleaners and work my IT group like maniacs or I could have applied one little freaking 800K patch. Are there other reasons for "securing the core"? Of course, but in discussion of this worm (which is what this is supposed to be about), the answer was to stop relying on outside groups and technologies and to get off our duffs and roll the freaking patch out. And the same lesson that should been learned after Code Red, Nimda and Slammer will go unheeded after Blaster. The answer people, is to PATCH. You can buy all the little tools to ALERT you that you want, but if you just put out the patch, you will have nothing to be alerted about.
So when it "comes in "the backdoor," there is in fact, still a lot you can do.
Actually, no there isn't. As addressed above, based upon my job, there isn't. Is there something more my COMPANY could do? Yeah. Would it have been a whole bunch easier (in the case of this worm) to put out the patch? Uh, yeah.
Security is a multi-faceted approach involving all elements of corporate IT departments working in concert with one another. To sit back and point the finger is to be as irresponsible as not patching one's systems.
To point the finger? Have you even read the rest of the thread? This whole discussion has been about how everyone seems to be pointing the finger at the firewall and the cleaners and the anti-virus. My whole point this entire time is that finger-pointing and relying on other groups is ridiculous. The answer here was we should have patched. Here is the way I look at it. When discussing this worm, you could have patched and you wouldn't have needed a firewall, an anti-virus, a cleaner or anything else. To sit here on the threads and say, "Well, here are the 10 steps I took to clean each of my 400 boxes." and "A properly configured firewall stops this issue." and so on is where the finger-pointing is. Everyone that is in charge of their desktops and got hit, should be pointing nowhere else than at themselves. Sure the perimeter firewall is a PART of it. I said I blocked the known ports. But guess what, as soon as the worm hit, there were more ports to block and what do you do for a Code Red when it comes over 80? That is my point. Every piece has it's job, but the part that failed here was the piece that was responsible for patching. Everyone else can be a stopgap and keep the flood at bay for a while, but if the patching had happened, there would be no flood! JayW
"Vachon, Scott" <Scott.Vachon () paymentech com> 08/15/03 07:59AM >>>
<snipped>
From one "firewall guy" to another: If you got hit from the inside,
then you are part of the problem as well. These days there is no such thing as the trusted zone. A firewall (and IDS) on your internal desktop network would have been beneficial in securing the "core," and alerting you to the presence of the worm internally. So when it "comes in the backdoor," there is in fact, still a lot you can do. Security is a multi-faceted approach involving all elements of corporate IT departments working in concert with one another. To sit back and point the finger is to be as irresponsible as not patching one's systems. ~S~ Disclaimer: My own two cents. Learn more about Paymentech's payment processing services at www.paymentech.com THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer. --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Purging Blaster.worm, (continued)
- RE: Purging Blaster.worm Rory (Aug 13)
- Re: Purging Blaster.worm Jay Woody (Aug 13)
- RE: Purging Blaster.worm Parolini, Walter A REV:EX (Aug 13)
- RE: Purging Blaster.worm Jay Woody (Aug 14)
- RE: Purging Blaster.worm Jay Woody (Aug 14)
- RE: Purging Blaster.worm Bob Walker (Aug 14)
- Re: Purging Blaster.worm Ken Jacobs (Aug 14)
- RE: Purging Blaster.worm David Gillett (Aug 16)
- RE: Purging Blaster.worm Meidinger Chris (Aug 15)
- RE: Purging Blaster.worm Vachon, Scott (Aug 15)
- RE: Purging Blaster.worm Jay Woody (Aug 16)
- RE: Purging Blaster.worm Meidinger Chris (Aug 18)
- RE: Purging Blaster.worm Alfred . Diggs (Aug 19)
- RE: Purging Blaster.worm Meidinger Chris (Aug 20)