Re: Secure host newbie - fun - humm

[Fredrik Hult <fredrik () hult co uk>]

There is a third option that is usually viable for remote exploits.
If it is possible to deduce a signature of the attack then an inline IPS or 
application proxy could provide protection from the attack while enabling 
Ops to patch the server when the patch is availible or when it is convenient.

Sadly of  course this only works if the admin is not complacent. It is also 
useful when being a customer of a software vendor that takes a long time to 
provide patches to their products.
The complacent hope that one will not get infected is largely not 
applicable anymore as the worms scan the whole net (which of course implies 
that the vuln get into a worm but in the win32 world I would say this is 
more the norm now).

Duty of Care is an interesting topic and (IANAL) is dependant on the 
resources of the victim. OTOH one could argue that a victim should not 
handle data that might result in such degree of harm that the victim has no 
financial or practical way of fulfilling its duty. Cost benefit analysis is 
a somewhat inexakt science and the Duty of Care needed is ultimately 
decided upon by the courts (which in the UK at least have several different 
ways to calculate this).

For 0day exploits one could argue that the compromise was not forseeable 
and the extent of the damage could not be quantified. OTOH one could argue 
that a diligent InfoSec professional would assume that the systems software 
components will contain undiscovered flaws (history of course proves this) 
and thus should have taken steps to mitigate damage in case of full system 
compromise.

As for not running servers if they have holes in them.. well then I think 
it might be time to shut down most public and private organisations that 
process information in paper as they are probably more insecure in their 
handling of information. If these organisations can tolerate the risks 
involved with handling very sensitive data, then surely the organisations 
and the courts will be able to transpose their resoning to the 
interconnected digital realm?

As for DoS attacks I would just add that this threat is always present in 
the age of zombies and it is more important to have good relations with 
ones connectivity providers as they will be the ones that will mitigate the 
attacks.

BTW sorry if I reply in an inconsistent manner as I have not caught the 
beginning of this thread.

Fredrik

At 19:55 06/04/2004, Ranjeet Shetye wrote:

> No, I am not pushing one decision over another.
>
> I am pointing out the fact that when a HUMAN BEING decides to run a
> server KNOWING that there is a security problem, then that is a HUMAN
> issue, NOT a technology issue. (e.g. I dont think that running an
> insecure service is any different from insecurely running a secure
> service - in both cases, its professional negligence.)
>
> Just cos an admin is helpless cos there is NO fix, does NOT exonerate
> the network admin of any blame, IF he or she KNEW that is an exploit
> available.
>
> In today's 24x7 broadband interconnected world, you have 2 options:
> 1. Take down the server yourself.
> 2. Hope that you do not get compromised and continue business as usual.
> (When you do get taken down, try to put it back together from backups.)
>
> Are there any other options ? That is what I was pointing out. Find out
> the cost of each option, and take the path with the lesser cost.
> Decision-making 101.
>
> e.g. Lets take a case where there IS a severe price to be paid for the
> NEGLIGENCE of KNOWINGLY running an insecure solution.
>
> If a US based service is hosting health records on a Linux server, and
> they KNOW that there is a kernel exploit that's available, BUT there is
> no fix available for it, then either they play safe and TAKE DOWN the
> server themselves, or prepare for a costly legal battle and/or a lengthy
> prison sentence if it can be proven that the admin was (deliberately ?)
> NEGLIGENT.
>
> The court is surely NOT going to think that running data servers for
> 24x7 (admin's desire) OR the health of the business (CEO's desire) is
> more important than the privacy of the health records. By law, EACH
> leaked health record will cost you $8 million + other civil and criminal
> proceedings if warranted + other intangibles like loss of customer
> trust, loss of reputation, etc. If that is worth keeping your servers up
> and running, you should make the decision accordingly. I wouldn't. I'd
> try to keep the service secure.
>
> On the other hand, if you are running a photo album server, then things
> are not so bad. As I said, you've got to take your own individual
> decision.
>
> This is very different from DoS attacks because in DoS, you dont get a
> choice, your server gets taken down for you. It's not a business
> decision taken on the basis of some calculated risk.
>
> And I DO think that security is a very black and white issue. Either you
> have it, or you dont.
>
> Ranjeet.
>
> On Tue, 2004-04-06 at 07:04, Barry Fitzgerald wrote:
> > Ranjeet Shetye wrote:
> >
> > >I'd say that most of the **avoidable** security **problems** are created
> > >by human beings (and network admins too).
> > >
> > >just going over the recent well-publicised and researched breakins:
> > >
> > >ftp.gnu.org - known ptrace kernel exploit (but no solution available) -
> > >TECHNOLOGY + HUMAN (cos admins decided to leave machine running and
> > >"risk it").
> > >
> > >
> > Are you advocating that people should just take their servers down if
> > someone finds an exploit that isn't patched?  Well, in that case, who
> > needs denial of service attacks?
> >
> > You're also assuming that every admin is aware when an exploit is found,
> > that's not always the case.  (In fact, I'd argue that it's like that
> > unless a patch or new version is released and said admin is on an
> > announcement list, they probably don't know about the vulnerability.)
> >
> > If both of these are the case, then an issue like this is not a human
> > issue at all - it's a technology issue.
> >
> >
> > >(My interpretation:
> > >TECHNOLOGY - unexpectedly getting a flat tyre while you're driving.
> > >HUMAN - driving around despite knowing that you have a flat tyre.)
> > >
> > >
> > >
> > >
> >
> > I disagree completely.
> >
> > I see what you're getting at, but it's not enough.  I'd define it this way:
> >
> > TECHNOLOGY - Any issue which could have been prevented or stopped
> > technologically.  This includes flaws in software that are purely
> > technical -- including flaws in design methodology.
> >
> > HUMAN - Improper use, misconfiguration of known-to-be-insecure
> > configurations, use of inherently vulnerable services (like nfs and
> > telnet) when better alternatives exist and are equally available, and
> > not patching a system when it is known to be safely patchable.  (In the
> > real world, you can't just patch a system -- you have to test things
> > first.)  Most of these are configuration and use issues, and often there
> > is a justification for carrying out the action.  For instance, telnet is
> > inherently "insecure".  Yet, there are times when it's appropriate to
> > use telnet.
> >
> > Sometimes, decisions aren't cut and dry and it's these decisions that
> > fall into the HUMAN category, not the decision to run a vulnerable
> > system when you don't have a choice.  That's purely technological.
> >
> >
> >                 -Barry
> >
> --
>
> Ranjeet Shetye
> Senior Software Engineer
> Zultys Technologies
> Ranjeet dot Shetye2 at Zultys dot com
> http://www.zultys.com/
>
> The views, opinions, and judgements expressed in this message are solely
> those of the author. The message contents have not been reviewed or
> approved by Zultys.
>
>
>
> ---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ----------------------------------------------------------------------------



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------