Security Incidents mailing list archives
Re: Was RE: disinfection tool -- now a minor rant.
From: H C <keydet89 () yahoo com>
Date: Mon, 6 Aug 2001 13:52:20 -0700 (PDT)
Mr. Ng speaks of "ignorant Sysadmins" and wanting to "get the idiots to listen."
From the beginning, I thought this was the whole point
of the Code Red worm. Given how "noisy" the worm is, and given that CRv1 and 2 weren't all that destructive (CRII seems to be an escalation...sort of, "I already told what I could do...now I'm going to do it."), it seems that CR is someone's idea for forcing admins to install the patch. After all, the vector leads to a system-level compromise. Look at it like a vaccine...give the patient a small dose of the largely inert 'virus' so that the system develops an immunity.
A lot of people, me included, can't understand why professional admins don't update their systems.
Nor do I understand.
...and they don't understand why the "bad guys" want to get into their systems. What needs to be done is for people like us to educate those business owners.
After years of hearing this, I would love to hear a viable way of doing this. I've heard a variety of techniques for educating business owners on risk, from showing how it would impact their business, to making it a business issue, to showing how a lack of security can impact the bottom line. I'm to the point of believing that the business owners already know...they just like the idea of someone kissing their arses and begging for money. Amongst security-sensitive folks like us, if a vulnerability can be found to easily lead to a root compromise, it'll be fixed and patched most rikky-tik. In the real world, unless their is actually a working exploit that is currently being used by the kiddies, the business types generally don't listen.
Contact your local paper or radio station and talk to the news director. Do an interview, be an expert.
There have to be trade-offs with this. After all, there are already 'experts' talking to the media, which in turn generates FUD. Say the wrong thing and/or get quoted out of context, and you risk ending up on a site like Attrition in a less-than-favorable light. The problem with the media is that if you're not sensational enough, you don't get interviewed. That's why JP of AntiOnline got more press with regards to "profiling" than the folks who do it professionally.
Create a "hit squad" of local sysadmins and offer to take phone calls from business owners. Create a Code RED fix on CD (maybe include SP6 and all post SP6 fixes including the IIS fixes on CD with an automated QChain script)
Perhaps this is where Mr. Ng's complaint comes from...the very fact that one group has to take the time to rescue another group from themselves, when we all have access to the same resources. So someone invests a significant amount of intellectual property to make someone else's job easier...for what?
But, quit complaining about "stupid, ignorant sysadmins" and the "idiots" and do something to help the situation.
Well, I think the reason Bruce Schneier recently decided to start pushing monitoring over preparation (and this is speculation on my part) is b/c he got tired of trying to push the idea of planning ahead, configuring systems, and installing patches. No one seems to want to do it. Look how many systems got hit by the sadmin/IIS worm...and the IIS side of it had been patched for 7 or 8 months. __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Was RE: disinfection tool -- now a minor rant. Mark Challender (Aug 06)
- Re: Was RE: disinfection tool -- now a minor rant. H C (Aug 06)
- Re: Was RE: disinfection tool -- now a minor rant. Jim (Aug 07)
- RE: Was RE: disinfection tool -- now a minor rant. Marc Maiffret (Aug 06)
- <Possible follow-ups>
- RE: Was RE: disinfection tool -- now a minor rant. Tony Langdon (Aug 07)
- Re: Was RE: disinfection tool -- now a minor rant. H C (Aug 06)