RE: Re: Anti-Defacement Products...

["Staggs, Michael" <Michael_Staggs () NAI com>]

The NAI (now PGP, inc) CyberCop Monitor has web page or any other file
protection/back-up.

You select the files you want protected and the Cop makes a backup copy of
those files. If "illegal" file access occurs, the Cop rewrites the backup
over the original. Getting the "illegal" settings config'ed is the hardest
part- most folks think that admin access should be legal for changes, they
make some other kind of mistake (like not patching IIS or leaving an FTP
write unpassworded/weak passworded) and then someone has admin that
shouldn't. File access by that per is now legal. So this is not the panacea
that marketing types want you to think. It takes a little planning and is
still no substitute for keeping up on exploits/patches or regular log
dredgeing- that tedious but essential stuff we all love so well.

It is, however, useful as another layer or safety device to assist in making
our lives as admins easier.

You can doenload it at www.nai.com. Go to the top of the page, click
"download updates now". Select corp user and nav through the info garbage
using user "licensed" and password "321". Play to your heart's content.

TIP- When doing the info page answers, keep your node count small. Few sales
types will bug you if you look small. Call them up at your own convenience
if you want to see more or buy.

Good luck keeping the bad guys out.

MJ 

-----Original Message-----
From: Tommy Ward [mailto:tommy () securify com]
Sent: Friday, March 31, 2000 11:30 AM
To: Joseph S D Yao; Starkey, Kyle
Cc: firewall-wizards () nfr net
Subject: Re: [fw-wiz] Re: Anti-Defacement Products...


The host based IDS which Haystack Labs had in 1997 did this.  I don't know
how much of the technology survived the TIS/NAI acquisition, or if
it has been updated at all.

Check with NAI to see if you can ferret out any details from the Cybercop
product line.



At 06:18 PM 3/23/00 -0500, Joseph S D Yao wrote:
> On Tue, Feb 22, 2000 at 10:44:26AM -0800, Starkey, Kyle wrote:
> > I was thinking about defacement the other day and how to help automate a
> > response to this type of activity.  I understand that host based security
> > and network based security is the key, but what about response.  I am
> > looking for a product that could be used to make sure the page being
> > displayed was the real page.  Thoughts of encyting the page/code to get a
> > hash and storing it somewhere inside the enterprise, periodically the
> > webserver re-calcing the hash on the page stored locally and running a
check
> > against a the stored copy secured in box on the inside.  I would also
> > envision the automatic posting of the original source back to the
webserver
> > and alerts bieng generated to the security officer if the two hashes did
not
> > match.  Does anyone know of any product that does something similar?  I
was
> > hoping not to have to build this from scratch, but perhaps it will be my
> > little project.  Any thoughts about this project or software that might
> > already do this for me would be greatly appreciated...
>
> Are you thinking of something as simple as running 'tripwire' on your
> Web server daily?
>
> If you are thinking of doing this remotely, how to distinguish when the
> Web page legitimately changes?  What about "active" or "dynamic" pages,
> whose content changes naturally?
>
> ;-)
>
> -- 
> Joe Yao                                jsdy () cospo osis gov - Joseph S. D.
Yao
> COSPO/OSIS Computer Support                                    EMT-B
> -----------------------------------------------------------------------
> This message is not an official statement of COSPO policies.

****************************************************************************
***
Tommy Ward                                                        V.P.
Consulting                      
650-812-9400 x4120                               tommy () securify com

                              <http://www.securify.com>