Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c)

[Ron DuFresne <dufresne () winternet com>]

On Tue, 29 Jul 2003 Valdis.Kletnieks () vt edu wrote:

> On Tue, 29 Jul 2003 13:14:49 EDT, Jason <security () brvenik com>  said:
>
> > Wrong, the cost benefit does work out for the business. We are at 3.9
> > million because we did not pay attention to the assets that needed
> > protecting and implement best practices. At 3.9 million we are still
> > under the extremely conservative $4million estimate from one single outage!
>
> You can harp on "best practices" all you want - hell, *I* certainly do
> it enough.  However, you have to come to some realizations here.  All
> "best practices" cost something to implement.  And at some point, the
> cost of prevention is going to exceed the cost of cleaning up.
>
> And at this point, the boss asks "So what are the chances we'll make
> it through the entire rest of the fiscal year without having to blow
> *another* $1.3M, compared to the chances we'll get wormed before the
> next advisory comes out?"
>
> Remember - we're up to MS03-*030* and it's still July.  At $1.3M per,
> you've burned some $39M already to protect against a $4M threat.
>
> Security is *tradeoffs*.  Do I wish all my users were patched against
> MS03-026? Yes.  Do I think some will get trashed by whatever worm comes
> by? Yes - the last worm nailed 200 boxes or so before we got specific
> router filters in place.
>
> However, when the cost of forcing *all* the users to upgrade exceeds
> the cost of cleaning up the 200 that will get whacked, it's *REAL*
> hard to get resources allocated - I've never net a VP-level exec
> that would agree to the idea that they should spend $2M to protect
> against a $500K threat because it's "best practices".  The only ways
> you'll get your $2M is to either make it under $500K instead, or something
> raises the $500K (for instance, if "liable for a $1.5M fine under the newly
> passed protection-of-private-law" gets added in...)
>
> Anybody who can't understand *that* probably doesn't get the joke
> about a $200 chip protecting the $0.75 fuse by blowing up first....

Still the best defensive porture is taken at the entrance and exit points
as pertains to most all these 'services'.  If the ports 135 and 1433 etc
are blocked, both tcp and udp protocols, then patching becomes far less
dramatic, even if a few machines inside get infected due to laptops or
what have you.  when the flow on the wire for a segment starts to impact
the other segments on the network, then, pull that segment and rush and
and fix what's needed to get things up again in short order.  Then again,
patch at leisure.  Barring a strong network perimiter, you become
dangerous not only to others on your inside, but, everyone else out here.

Screw the students that are in a programming class and can't get their
toys to work across the borders, and their professors, they have to
understand, or be made to understand that there are reasons that the
policy that is in effect is so for a reason.

The higher up that tries to cut  costs and make his claim as an asset that
can't be afforded to be lost, rather then doing so as most profs do by
reaserch and publishing, well the old 'useless' equipment just became the
test network for that comp sci dept, firewalled off from the rest of the
network of course, well not in texas, they all need room to spread their
funk on the wires and gateways outside their domain...

Thanks,

Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html