Firewall Wizards mailing list archives
RE: Worms, Air Gaps and Responsibility
From: "Ben Nagy" <ben () iagu net>
Date: Wed, 5 May 2004 16:13:06 +0200
For disclaimer, see bottom of tin [1] So what should people be doing better? Follow this advice and you will probably not end up a statistic. First - worms hit known vulnerabilities. Manage your vulnerabilities, and get that up to the executive level as a priority. The time between the patches and the worms is shrinking, so it's getting harder every time. (Blaster was 26 days, Sasser 17 or 18). Eliminiating the root vulnerabilities is the ONLY sure way to not get infected by worms. The rest is damage control and lucky underwear. Prepare Better. Put worm outbreak stratgies in your BCPs and DRPs. Implement egress filtering wherever possible to chop out the key TCP and UDP ports that are spreading vectors. Typically these are anything related to MS networking (long list, 137 138 139 445 blah blah). Also chop TFTP, FTP and IRC wherever you can. Do what Paul says, and put in some physical separation for truly critical networks. Not VLANs. Not firewalls. Air. For those networks, make sure random machines cannot be connected without you knowing about it, get rid of unsecured VPN endpoints and roaming wireless. Stay Informed. Mailing lists - (NT)bugtraq, Full Disclosure (but never run any code you see on that list ;), Vuln-Dev are all OK, but can be noisy. Check websites like K-Otik and Packetstorm to see when public releases of exploit code take place. the ISC website is also excellent for early warning if you know what you are looking for - you would do well to add the handler's diary to your morning read. Fundamentally, to perform accurate threat assessment you at least need to know the basic difference between different kinds of exploits. Some (like lsass and the IIS PCT bug) are trivial to write exploits for. Others, like some of the RPC race condition bugs, the ASN.1 heap corruption bugs etc are harder to exploit, and less reliable. Worm writers want two things - a bug in a core service (lots of targets) and something that is easy and reliable to exploit. I can't say this next part loud enough. To date, almost all of the worms have been non-destructive (Witty being a notable exception, but with a smaller target base). This can NOT last. How hard do you think it would be for a mass-market worm to just trash the partition table and flash the BIOS when it was sick of spreading? Now you can multiply your damage and recovery figures by ten or twenty (or more). As a closing note - if you run IIS then the SSL PCT bug is a worm waiting to happen, don't get distracted by sasser, although I'm sure mutations are coming for that one, and don't say I didn't warn you. Sorry to be alarmist, and sorry for the soapbox. Cheers, ben [1] I work for eEye, we know lots and lots about vulnerabilities and worms and stuff, we found the vulnerability behind sasser, and we make some products in this area. However, this is not a plug.
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Paul D. Robertson Sent: Wednesday, May 05, 2004 2:25 PM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Worms, Air Gaps and Responsibility Hospitals, banks, the U.K. Coast Guard... The damage from the latest Microsoft-based worm isn't as widespread as that from the last one, but it's pretty darned bad in point cases. Why do people continue to connect critical production networks to user/administrative networks?
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Worms, Air Gaps and Responsibility Paul D. Robertson (May 05)
- RE: Worms, Air Gaps and Responsibility Karl Mueller (May 05)
- RE: Worms, Air Gaps and Responsibility R. DuFresne (May 05)
- RE: Worms, Air Gaps and Responsibility Ben Nagy (May 05)
- Re: Worms, Air Gaps and Responsibility Devdas Bhagat (May 05)
- Re: Worms, Air Gaps and Responsibility Marcus J. Ranum (May 05)
- Re: Worms, Air Gaps and Responsibility Einar Indridason (May 06)
- Re: Worms, Air Gaps and Responsibility Rogan Dawes (May 05)
- Re: Worms, Air Gaps and Responsibility Mason (May 06)
- Re: Worms, Air Gaps and Responsibility Chris Pugrud (May 07)
- Re: Worms, Air Gaps and Responsibility Rogan Dawes (May 07)
- Re: Worms, Air Gaps and Responsibility Mordechai T. Abzug (May 06)
- Re: Worms, Air Gaps and Responsibility Jim Seymour (May 06)
- Re: Worms, Air Gaps and Responsibility Marcus J. Ranum (May 06)
(Thread continues...)
- RE: Worms, Air Gaps and Responsibility Karl Mueller (May 05)