Re: Priorities (was: Bind8 exploit and a deleted partition map)

[Crist Clark <crist.clark () GLOBALSTAR COM>]

Dustin Mitchell wrote:
> On Tue, 13 Feb 2001, Crist Clark wrote:
> > Derek Kwan wrote:
> > ...
> > > 2) Keep your software version updated
> >
> > It's tough, but try, try, and have an idea about priorities. Which
> > needs to be fixed by end of the week, which by end of the day, and
> > which needs to be turned off NOW until it is fixed.
>
> I'd like a little more advice on this subject: what are some of the
> factors that should influence this prioritization?  Maybe I can list a
> few; please add/correct:
>
> a) Exposure (e.g. who are your local users, is the machine behind a
>    firewall)
> b) Existence of a rootkit
> c) Evidence of attempts or scans
> d) Breadth of vulnerability (e.g. root shell, DoS, or just breaking the
>    AppleTalk server that only one person uses)

The standard risk calculation goes,

  ( Target Value ) * ( Severity of Exploit )
    * ( Likelyhood of Expoit ) = Risk

"Target Value" is the value of the target in money/time costs. A
machine that holds credit card numbers has obvious value. A DNS
server holding public records does not hold information with high
monetary value, but has the potential to cost a lot in downtime and
repairs (I guess there could be value in the eyes of the attacker if
he can redirect your domain(s)). A desktop user's system often is the
least critical, but they could be used as a stepping stone.

"Severity of Exploit" indicates what level of access an attacker can
achieve. Is this just a DoS? Or a root hole? Or something in between.

"Likelyhood of Exploit" folds in how likely it is someone will actually
try or has the means to try an exploit. If this system is stand-alone
and only has trusted users, who cares? Is it behind a firewall and
fairly safe from the k1ddiez? Or is this machine naked on the Internet?
Is there a sk1rpt k1ddie t00l for the exploit, is this for
professional crackers only, or is it purely theoretical?

One approach popularized by Stephen Northcutt of SANS is to evaluate a
network intrusion attempts according to the following equation,

  ( Target Criticality ) + ( Lethality ) - ( System Countermeasures )
     - ( Network Countermeasures ) = Attack Severity

Northcutt likes to give a 1-5 rating for each. Basically, the
presence of a known exploit can lower countermeasures or increase
lethality.

Both of these are very qualitative approaches. And more aids in
organizing your thoughts as opposed to equations for doing some pencil
and paper calculations.

There are two things that none of these include, but I think is
important when prioritizing repairs/patching. One is to consider how much
it costs in time/money to do the fixes. If you have three holes to fix,
each ranking in the same neighborhood according to the above criteria,
where one takes five minutes, one takes an hour, and one takes four hours,
do them in that order. Even if the five minute job is not as critical,
get it out of the way. If the four hour job is slightly more critical
than the one hour... Well, it may be worth stopping to think which is
better. If there are software/hardware purchase prices, they get tossed
in too. This may seem obvious once it is said, but sometimes the obvious
things need saying anyway.

The other thing to do is consider the effectiveness of your fix...
provided there even is one. Is this an ugly kludge that you will need
to redo in a few days when the vendor come out with a sparkly new
patch? Maybe you are best off not spending 4 hours hacking a workaround
now only to waste time in a few days tearing it down again when you
install the patch. Maybe its best to cross your fingers and wait for
that patch. Maybe.

Finally, you don't want to be spending all of your time thinking about
this stuff when boxes are sitting out there vulnerable. If you can't
figure out which to do first, flip a coin, just do _something._
--
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster () globalstar com