Firewall Wizards mailing list archives

Re: The Morris worm to Nimda, how little we've learned or gained

From: William bradd <bbradd () olg com>
Date: Thu, 03 Jan 2002 21:48:20 -0500

Hi,

My .02

Ask one question.  Why do old attacks still work?  Because patches and hot fixes
have not been applied.

Where I work, we constantly scan and report vulnerabilities to management.
Admins say they have fixed the vulnerabilities, yet we still find the same
vulnerabilities over and over. Bottom line they either have not applied the
patch or failed to follow-up and check for settings that may have  been changed
when the patch is applied.

Additionally, end users and admins think patching isn't important because we are
behind two firewalls.  You can imagine their surprise when malicious code gets
in and exploits an old vulnerability.  Especially when applying patches would
have prevented the exploit.  Since we have adequate testing facilities they
can't use that as an excuse for not testing and fielding patches and hot fixes.

Someone has to be held responsible, hopefully someone in management who is
ultimately responsible for the integrity and availability of network resources.

Not patching is dangerous, so is not testing, however, vendors provide patches
for a reason.

Consider what are the liabilities for the individual, corporate officers, and
the company should the worst happen?  What do investors expect?  What about
credibility with customers?  What about individual reputation?

But in the end if you are not in a position to make the call, the responsibility
should rest squarely on the shoulders of those who are.

Maybe if vendors were held accountable for bad code (product liability) we'd
have less bad code.



"Behm, Jeffrey L." wrote:

At the very least, jobs should be on the line when companies are

compromised by code

that could have long been prevented by patching of applications and OS's,
especially when those patches have been widely available and publicly
announced.  Even an arson victim faces penalties if they have violated


I agree with your article as a whole, but take minor exception to the above
paragraph.

Is the job on the line if there are no or very little resources available to
test the patches?
I don't think you aren't suggesting blind application of all security
related patches released from a given vendor, so how does one decide which
are the "real" ones to apply, and which are the "ones we don't really need."
It's the old adage of "apply patches and take a chance of breaking
something" vs. "don't apply the patch until you are sure you need it" (but
how are you "sure"?)

I.E. Is my job on the line if I apply a patch and it causes more damage (due
to my own corporate implementation) than the issue it was supposed to fix?

I will give you that there are some patches that one should apply due to the
severity of the consequences of not applying it (BIND, Sendmail, and
others). My point is that if the company is not willing to provide the
resources (time, hardware, people) needed to properly test the patch(es),
the job should not be "on the line."

A minor point, perhaps, but with the lack of skilled security admins, and
unwillingness of companies to provide adequate resource to security
infrastructure (including patch testing), I don't think all the blame lies
on the ones that "should have known the patches needed to be applied."

IMHO (and no flame nor offense intended!),
Jeff

Statements made are my personal opinion and in no way reflect the views of
any company, corporation, or business.

-----Original Message-----
From: R. DuFresne [mailto:dufresne () sysinfo com]
Sent: Thursday, January 03, 02 3:11 AM
To: firewall-wizards () nfr net
Subject: [fw-wiz] The Morris worm to Nimda, how little we've learned or
gained




                      The Morris worm to Nimda
                 how little we've learned or gained


                                    by:  Ron DuFresne
                                           (c) 2001




2001 was a tumultuous year.  Prior to the September 11 airline
attacks on


<snip>
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

RE: The Morris worm to Nimda, how little we've learned o r gained Behm, Jeffrey L. (Jan 03)
- Re: The Morris worm to Nimda, how little we've learned o r gained Jon O . (Jan 04)
- Re: The Morris worm to Nimda, how little we've learned or gained William bradd (Jan 04)
- NIMDA, how to stop it Alan Young (Jan 04)
  - Re: NIMDA, how to stop it R. DuFresne (Jan 04)
    - Re: NIMDA, how to stop it Paul D. Robertson (Jan 04)
    - Re: NIMDA, how to stop it Robin S. Socha (Jan 05)
    - Re: NIMDA, how to stop it Christopher Lee (Jan 05)
  - Re: NIMDA, how to stop it Robin S. Socha (Jan 04)
  - Re: NIMDA, how to stop it Ryan Russell (Jan 04)
    - Re: NIMDA, how to stop it Robin S. Socha (Jan 05)
    - Re: NIMDA, how to stop it Ryan Russell (Jan 06)
    - Re: NIMDA, how to stop it Robin S. Socha (Jan 06)

(Thread continues...)