Security Incidents mailing list archives
Re: Priorities (was: Bind8 exploit and a deleted partition map)
From: Crist Clark <crist.clark () GLOBALSTAR COM>
Date: Thu, 15 Feb 2001 17:59:19 -0800
Dustin Mitchell wrote:
On Tue, 13 Feb 2001, Crist Clark wrote:Derek Kwan wrote: ...2) Keep your software version updatedIt's tough, but try, try, and have an idea about priorities. Which needs to be fixed by end of the week, which by end of the day, and which needs to be turned off NOW until it is fixed.I'd like a little more advice on this subject: what are some of the factors that should influence this prioritization? Maybe I can list a few; please add/correct: a) Exposure (e.g. who are your local users, is the machine behind a firewall) b) Existence of a rootkit c) Evidence of attempts or scans d) Breadth of vulnerability (e.g. root shell, DoS, or just breaking the AppleTalk server that only one person uses)
The standard risk calculation goes, ( Target Value ) * ( Severity of Exploit ) * ( Likelyhood of Expoit ) = Risk "Target Value" is the value of the target in money/time costs. A machine that holds credit card numbers has obvious value. A DNS server holding public records does not hold information with high monetary value, but has the potential to cost a lot in downtime and repairs (I guess there could be value in the eyes of the attacker if he can redirect your domain(s)). A desktop user's system often is the least critical, but they could be used as a stepping stone. "Severity of Exploit" indicates what level of access an attacker can achieve. Is this just a DoS? Or a root hole? Or something in between. "Likelyhood of Exploit" folds in how likely it is someone will actually try or has the means to try an exploit. If this system is stand-alone and only has trusted users, who cares? Is it behind a firewall and fairly safe from the k1ddiez? Or is this machine naked on the Internet? Is there a sk1rpt k1ddie t00l for the exploit, is this for professional crackers only, or is it purely theoretical? One approach popularized by Stephen Northcutt of SANS is to evaluate a network intrusion attempts according to the following equation, ( Target Criticality ) + ( Lethality ) - ( System Countermeasures ) - ( Network Countermeasures ) = Attack Severity Northcutt likes to give a 1-5 rating for each. Basically, the presence of a known exploit can lower countermeasures or increase lethality. Both of these are very qualitative approaches. And more aids in organizing your thoughts as opposed to equations for doing some pencil and paper calculations. There are two things that none of these include, but I think is important when prioritizing repairs/patching. One is to consider how much it costs in time/money to do the fixes. If you have three holes to fix, each ranking in the same neighborhood according to the above criteria, where one takes five minutes, one takes an hour, and one takes four hours, do them in that order. Even if the five minute job is not as critical, get it out of the way. If the four hour job is slightly more critical than the one hour... Well, it may be worth stopping to think which is better. If there are software/hardware purchase prices, they get tossed in too. This may seem obvious once it is said, but sometimes the obvious things need saying anyway. The other thing to do is consider the effectiveness of your fix... provided there even is one. Is this an ugly kludge that you will need to redo in a few days when the vendor come out with a sparkly new patch? Maybe you are best off not spending 4 hours hacking a workaround now only to waste time in a few days tearing it down again when you install the patch. Maybe its best to cross your fingers and wait for that patch. Maybe. Finally, you don't want to be spending all of your time thinking about this stuff when boxes are sitting out there vulnerable. If you can't figure out which to do first, flip a coin, just do _something._ -- Crist J. Clark Network Security Engineer crist.clark () globalstar com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster () globalstar com
Current thread:
- Bind8 exploit and a deleted partition map Matteo,Marc A. (Feb 13)
- Re: Bind8 exploit and a deleted partition map Luciano Miguel Ferreira Rocha (Feb 13)
- Re: Bind8 exploit and a deleted partition map Jose Nazario (Feb 13)
- Re: Bind8 exploit and a deleted partition map Derek Kwan (Feb 13)
- Re: Bind8 exploit and a deleted partition map Crist Clark (Feb 13)
- Re: Bind8 exploit and a deleted partition map Jeremy L. Gaddis (Feb 14)
- Re: Bind8 exploit and a deleted partition map Valdis Kletnieks (Feb 14)
- Re: Bind8 exploit and a deleted partition map Eric Brandwine (Feb 14)
- Priorities (was: Bind8 exploit and a deleted partition map) Dustin Mitchell (Feb 15)
- Re: Priorities (was: Bind8 exploit and a deleted partition map) Crist Clark (Feb 15)
- Re: Bind8 exploit and a deleted partition map Crist Clark (Feb 13)
- Re: Bind8 exploit and a deleted partition map Luciano Miguel Ferreira Rocha (Feb 13)
- <Possible follow-ups>
- Re: Bind8 exploit and a deleted partition map Justin Shore (Feb 14)