IDS mailing list archives
Re: Definition of Zero Day Protection
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Thu, 12 Aug 2004 19:10:27 +0530
On 09/08/04 10:29 -0700, Drew Copley wrote: <snip>
Unfortunately, security is usually a reactive endeavour, rather then proactive. (And, proactive security is typically reactive security dressed up so you don't feel so bad.)
Proactive security is designing your systems so that they aren't easy to break. This includes, and is not limited to, access limitation for services through firewalls (both the packet filtering and proxy type), access limiting to users for services, access limiting users to specific programs only, having strong and enforced security policies, not running programs with holes like Internet Explorer, having up to date virus definitions on Windows systems, properly configured bastion hosts,...... Design this into your system, implement it and then bother about the IDS part of it to report on what was missed. If you don't have the first, you are being too hasty in implementing the second. As part of my definition of IDS, I include log analysers, checksumming tools like tripwire/aide, network IDSes like snort, etc. Once you limit your security exposure to very few services, then you can know what kind of attacks to deal with most of the time. There is no silver bullet though. A new exploit method is a very rare event. It is usually the same methods exploiting various similar holes at different locations in the programs. A true zero day exploit detection tool would catch a new class of exploit and take some action on it. A useful tool would flag certain types of traffic as suspicious.
These things are not security hype. Neither is protection from them.
0 day exploits are not as bad as they appear to be. They are extremely rare, but they represent the extreme edge of the unknown. "An attack that you do not know about cannot be prevented" is what is so scary about the 0 day exploit. Instead if we consider that having a good security design and and a good implementation of that design prevent most of those attacks, the risk evaluation can be done much better. (No, I do not believe that mere packet filtering firewalls are a good design by themselves. They cut out the noise, but they should not be the only components of your firewall).
If a single bugfinder goes "rogue", you will see these kinds of attacks. Likely, as bugfinders tend to be somewhat rogue in the firstplace, there are a lot more going on then we already know about. And, there is an increasing number of qualified bugfinders. This trend will inevitably increase. So, no, it is not marketing hype, and yes, it should be a concern. It should be more of an immediate concern for military and financial institutions, as they tend to have more valuable data and are the first targets for most attackers. However, anyone with a credit card database or serious corporate secrets is a possible target.
Actually, anyone is a serious target. A new exploit method for Internet Explorer combined with a Javascript bug for Outlook Express will be a very tempting target for spammers/scammers/people in the business of selling zombie networks. Where we go wrong is in looking at the low volume high margin clientele as zero day exploit targets. The deadliest attack would be one that gains control over all those unpatched Windows systems and then uses them to launch further attacks. Devdas Bhagat -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: Definition of Zero Day Protection, (continued)
- Re: Definition of Zero Day Protection Martin Roesch (Aug 11)
- RE: Definition of Zero Day Protection Carey, Steve T GARRISON (Aug 09)
- RE: Definition of Zero Day Protection Carey, Steve T GARRISON (Aug 09)
- Re: Definition of Zero Day Protection Drew Simonis (Aug 09)
- RE: Definition of Zero Day Protection Teicher, Mark (Mark) (Aug 09)
- RE: Definition of Zero Day Protection Michal Zalewski (Aug 10)
- Re: Definition of Zero Day Protection Ranjeet Shetye (Aug 10)
- RE: Definition of Zero Day Protection Teicher, Mark (Mark) (Aug 09)
- Re: Definition of Zero Day Protection Andy Cuff (Aug 11)
- RE: Definition of Zero Day Protection Drew Copley (Aug 09)
- Re: Definition of Zero Day Protection Devdas Bhagat (Aug 13)
- RE: Definition of Zero Day Protection Fulp, J.D. USA (Aug 09)
- RE: Definition of Zero Day Protection Joshua Berry (Aug 10)
- RE: Definition of Zero Day Protection Brian Smith (Aug 10)
- RE: Definition of Zero Day Protection Teicher, Mark (Mark) (Aug 10)
- RE: Definition of Zero Day Protection Brian Smith (Aug 10)
- RE: Definition of Zero Day Protection Drew Copley (Aug 10)
- A Network IPS Proposal (was Definition of Zero Day Protection) Shaiful (Aug 13)
- Re: A Network IPS Proposal (was Definition of Zero Day Protection) Johnny Calhoun (Aug 16)
- Re: A Network IPS Proposal (was Definition of Zero Day Protection) Stefano Zanero (Aug 17)
- Re: A Network IPS Proposal (was Definition of Zero Day Protection) Shaiful (Aug 17)
- A Network IPS Proposal (was Definition of Zero Day Protection) Shaiful (Aug 13)