RE: Purging Blaster.worm

["Jay Woody" <jay_woody () tnb com>]

> > From one "firewall guy" to another: If you got hit from the 
> > inside, then you are part of the problem as well. 

Obviously, if I am strictly responsible for the perimeter firewall,
then I would find this statement ludicrous.  Is there a place for
internal firewalls?  Of course.  That has never been up for debate or
even previously addressed in this post.  There is a need for IDS, etc.
internally, but depending upon the setup of your company, that may be
unattainable.  However, back to the central point, patching was not
unattainable.

> > These days there is no such thing as the trusted zone. 
> > A firewall  (and IDS) on your internal desktop network 
> > would have been beneficial in securing the "core," and 
> > alerting you to the presence of the worm internally. 

Not to be stupid here, but if you needed an alert concerning this worm,
you must sleep in a cave.  Concerning future issues, perhaps you are
right and that may be something for a different thread.  But concerning
the issues addressed in THIS thread, you had ample warning and ample
time to get a patch down.  If you were patched than having all this
preventative technology was cool, but pretty freaking unnecessary.  I
could buy external firewalls, IDS, etc.  I could buy internal firewalls,
IDS, etc.  I could buy anti-virus and download cleaners and work my IT
group like maniacs or I could have applied one little freaking 800K
patch.  Are there other reasons for "securing the core"?  Of course, but
in discussion of this worm (which is what this is supposed to be about),
the answer was to stop relying on outside groups and technologies and to
get off our duffs and roll the freaking patch out.  And the same lesson
that should been learned after Code Red, Nimda and Slammer will go
unheeded after Blaster.  The answer people, is to PATCH.  You can buy
all the little tools to ALERT you that you want, but if you just put out
the patch, you will have nothing to be alerted about.

> > So when it "comes in "the backdoor," there is in fact, still 
> > a lot you can do.

Actually, no there isn't.  As addressed above, based upon my job, there
isn't.  Is there something more my COMPANY could do?  Yeah.  Would it
have been a whole bunch easier (in the case of this worm) to put out the
patch?  Uh, yeah.

> > Security is a multi-faceted approach involving all elements 
> > of corporate IT departments working in concert with one 
> > another. To sit back and point the finger is to be as 
> > irresponsible as not patching one's systems.

To point the finger?  Have you even read the rest of the thread?  This
whole discussion has been about how everyone seems to be pointing the
finger at the firewall and the cleaners and the anti-virus.  My whole
point this entire time is that finger-pointing and relying on other
groups is ridiculous.  The answer here was we should have patched.  Here
is the way I look at it.  When discussing this worm, you could have
patched and you wouldn't have needed a firewall, an anti-virus, a
cleaner or anything else.  To sit here on the threads and say, "Well,
here are the 10 steps I took to clean each of my 400 boxes." and "A
properly configured firewall stops this issue." and so on is where the
finger-pointing is.  Everyone that is in charge of their desktops and
got hit, should be pointing nowhere else than at themselves.

Sure the perimeter firewall is a PART of it.  I said I blocked the
known ports.  But guess what, as soon as the worm hit, there were more
ports to block and what do you do for a Code Red when it comes over 80? 
That is my point.  Every piece has it's job, but the part that failed
here was the piece that was responsible for patching.  Everyone else can
be a stopgap and keep the flood at bay for a while, but if the patching
had happened, there would be no flood!

JayW

> > > "Vachon, Scott" <Scott.Vachon () paymentech com> 08/15/03 07:59AM >>>

<snipped>

> From one "firewall guy" to another: If you got hit from the inside,
then you are part of the problem as well. These days there is no such
thing as the trusted zone. A firewall  (and IDS) on your internal
desktop network would have been beneficial in securing the "core," and
alerting you to the presence of the worm internally. So when it "comes
in the backdoor," there is in fact, still a lot you can do.
Security is a multi-faceted approach involving all elements of
corporate IT departments working in concert with one another. To sit
back and point the finger is to be as irresponsible as not patching
one's systems.

~S~

Disclaimer: My own two cents.
  
Learn more about Paymentech's payment processing services at
www.paymentech.com 
THIS MESSAGE IS CONFIDENTIAL.  This e-mail message and any attachments
are proprietary and confidential information intended only for the use
of the recipient(s) named above.  If you are not the intended recipient,
you may not print, distribute, or copy this message or any attachments. 
If you have received this communication in error, please notify the
sender by return e-mail and delete this message and any attachments from
your computer.

---------------------------------------------------------------------------
----------------------------------------------------------------------------




---------------------------------------------------------------------------
----------------------------------------------------------------------------