RE: Avoiding being a good admin - was DCOM RPC exploit (dcom.c)

[Ron DuFresne <dufresne () winternet com>]

> > Still the best defensive porture is taken at the entrance and exit points
> > as pertains to most all these 'services'.  If the ports 135 and 1433 etc
> > are blocked, both tcp and udp protocols, then patching becomes far less
> > dramatic, even if a few machines inside get infected due to laptops or
> > what have you.  when the flow on the wire for a segment
>
> Perimeter blocking is not everything.
> It's an important part of your security policy, but I think you're
> overstating that.
>
> Is it too difficult to write a worm which will spread through RPC DCOM (this
> is just to stay OT) *AND* mass e-mailing. See that? Mass e-mails ... You can
> have the best port blocking in the world and still be infected in a second.


Cool, perimiter security and forcing users to text only based e-mail
clients liek e-mail was intended <grin>.

> The solution for this is long term improvement of security, strong security
> policies *AND* education.

Eucation works poorly.  Educate you users and then 30 minutes later some
of thm will go to their everything-AND-the-kitchen-sink desktop OS, click
on that same mass mailed exe you just told them not to click on, and
reopen the need to once again re-educte your userbase cycle.  Of course 9
out of 10 times it;s going to be one of the upper mgt folks that pushed
for the employee education project that does the uncondoned clicking of
that exe...


Thanks,

Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html