RE: Worms, Air Gaps and Responsibility

["Ben Nagy" <ben () iagu net>]

For disclaimer, see bottom of tin [1]

So what should people be doing better? Follow this advice and you will
probably not end up a statistic.

First - worms hit known vulnerabilities. Manage your vulnerabilities, and
get that up to the executive level as a priority. The time between the
patches and the worms is shrinking, so it's getting harder every time.
(Blaster was 26 days, Sasser 17 or 18). Eliminiating the root
vulnerabilities is the ONLY sure way to not get infected by worms. The rest
is damage control and lucky underwear.

Prepare Better. Put worm outbreak stratgies in your BCPs and DRPs.

Implement egress filtering wherever possible to chop out the key TCP and UDP
ports that are spreading vectors. Typically these are anything related to MS
networking (long list, 137 138 139 445 blah blah). Also chop TFTP, FTP and
IRC wherever you can.

Do what Paul says, and put in some physical separation for truly critical
networks. Not VLANs. Not firewalls. Air. For those networks, make sure
random machines cannot be connected without you knowing about it, get rid of
unsecured VPN endpoints and roaming wireless.

Stay Informed. Mailing lists - (NT)bugtraq, Full Disclosure (but never run
any code you see on that list ;), Vuln-Dev are all OK, but can be noisy.
Check websites like K-Otik and Packetstorm to see when public releases of
exploit code take place. the ISC website is also excellent for early warning
if you know what you are looking for - you would do well to add the
handler's diary to your morning read.

Fundamentally, to perform accurate threat assessment you at least need to
know the basic difference between different kinds of exploits. Some (like
lsass and the IIS PCT bug) are trivial to write exploits for. Others, like
some of the RPC race condition bugs, the ASN.1 heap corruption bugs etc are
harder to exploit, and less reliable. Worm writers want two things - a bug
in a core service (lots of targets) and something that is easy and reliable
to exploit.

I can't say this next part loud enough. To date, almost all of the worms
have been non-destructive (Witty being a notable exception, but with a
smaller target base). This can NOT last. How hard do you think it would be
for a mass-market worm to just trash the partition table and flash the BIOS
when it was sick of spreading? Now you can multiply your damage and recovery
figures by ten or twenty (or more).

As a closing note - if you run IIS then the SSL PCT bug is a worm waiting to
happen, don't get distracted by sasser, although I'm sure mutations are
coming for that one, and don't say I didn't warn you.

Sorry to be alarmist, and sorry for the soapbox.

Cheers,

ben

[1] I work for eEye, we know lots and lots about vulnerabilities and worms
and stuff, we found the vulnerability behind sasser, and we make some
products in this area. However, this is not a plug.

> -----Original Message-----
> From: firewall-wizards-admin () honor icsalabs com 
> [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf 
> Of Paul D. Robertson
> Sent: Wednesday, May 05, 2004 2:25 PM
> To: firewall-wizards () honor icsalabs com
> Subject: [fw-wiz] Worms, Air Gaps and Responsibility
>
> Hospitals, banks, the U.K. Coast Guard...  The damage from 
> the latest Microsoft-based worm isn't as widespread as that 
> from the last one, but it's pretty darned bad in point cases.
>
> Why do people continue to connect critical production 
> networks to user/administrative networks?

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards