RE: Learn from history?

["Alerta Redsegura" <alerta () redsegura com>]

> SMB generally arent worrie about running simething like WIndows Update
> automatically, other than the fact that it uses bandwidth that they are
> paying for.

Down here, most SMB use Internet flat-rate plans, whether it be Dial-up or
cable.
So that's not an issue. The issue here is *knowledge and awareness*, but not
connection.



> > > > 2. If a patch cannot be installed, find workarounds
> > > That does not work with the workarounds customer need to facilitate
> > > life (security <> easy of use, remember)
>
> Work arounds donmt have a place in any sort of open user environment
> they take too much time to deploy and impose to many problems on the end
> user and also need to be undone after the problem is fixed. Way way way
> to much work there.

In the case of a Windows-based network and excepting W98 and WME boxes, all
updates and upgrades can be --and should be-- deployed from 1 machine.
Workarounds generally have ultimately to do with registry modifications,
which is just a matter of writing a script and deploying it. (Of course,
after evaluating cost-benefit, testing, where *not* to install it, etc.)



> > > > 3. If it is a port-related threat, find out if such ports are
> > > > in use, and if not, make sure they are closed.
> > > Once the virus is on the LAN it can do whatever it wants.
> >
> > Hello!  Block the ports BEFORE they hit the LAN.  Proactive security.
> > Also, do us a favor and don't propogate the shit!
>
> What is all this rubbish about. Roughly 15% of all assests attached to a
> networks around the world are unaccounted for!! So how are you meant to
> protect yourself against them. Example - firewall blocking all ports,
> some one comes in with a laptop thats infected and bobs your uncle you
> left scratching your head wondering why your firewall didnt work. lmao
> that mi friends is the soft center that the black hat looks for!!

It is also a matter of well articulated policies.

Assumptions
----------------
1. You have an anti-virus/e-mail/content solution which updates signatures
files automatically from the Internet and deploys them automatically to all
the boxes in the network, with central alerting capabilities.

2. You have a firewall solution at the point connecting to the
Internet/other networks.

3. The laptop is infected with a worm that spreads through specific ports.
----------------


Now, someone comes in with a laptop that is infected and connects to the
LAN.
When it starts trying to infect external addresses, the firewall catches it.
If it tries to infect local machines, the anti-virus software catches it.
Supposing you have adequate alerting procedures in place, in both cases, the
source of the infection is easy to detect.





Iñigo Koch
Red Segura

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html