Re: InfoSec 2003: 'Zero-day' attacks seen as growing threat (Three more messages)

[InfoSec News <isn () c4i org>]

[This could go on forever, this is the last three messages for this 
thread. - WK]

Forwarded from: Ido Dubrawsky <idubraws () cisco com>

On Mon, Dec 22, 2003 at 04:24:58AM -0600, InfoSec News wrote:
> Forwarded from: Harlan Carvey <keydet89 () yahoo com>
>
> Rob,
>
> > I don't know about you but zero-day exploits frighten me.  Theyre
> > absolutely terrifying.  I think we should either (a) nationalize
> > the computer security industry or (b) dismantle the Internet as a
> > national security threat.
>
> I guess I can understand your point of view, but what about defense
> in depth?  Looking at the entire security picture as a whole, it
> would seem the even zero-day exploits may be extremely difficult to
> deploy *IF* more folks take a more comprehensive approach to
> security.
>
> Take Slammer last year, for example.  Infrastructures that did not
> expose UDP port 1434 to the Internet were not infected by the worm.  
> Looking further back, folks running IIS 4.0 who'd taken the step to
> disable ida/idq script mappings were not infected with Code Red.  
> These aren't necessarily zero-day exploits, but the worms do
> illustrate the lack of vision with regards to security.
 
Not true.  Even those who did not expose UDP 1434 to the Internet were
affected by employees bringing the worm in with laptops that had MSDE
installed.  Also, Slammer's scanning caused some bandwidth issues for
some service providers and at some peering points.  I agree with you
that *IF* more people took a more comprehensive approach to security
then the effects of zero-day exploits would be reduced...however, the
reality is not the case.  It reminds me of my mother who would always
tell me when she was driving: "I'm not so concerned about my driving
which I know is good...I'm concerned about the OTHER person's
driving." It's a communal effort and unless more people/companies wake
up and smell the coffee, we're in for some rough rides ahead.

My .02
Ido

-- 
===========================================================================
                        | Ido Dubrawsky, CISSP   E-mail: idubraws () cisco com
     |          |       | Network Security Architect
    :|:        :|:      | VSEC Technical Marketing, SAFE Architecture Team
   :|||:      :|||:     | Cisco Systems, Inc.
.:|||||||:..:|||||||:.  | Silver Spring, MD. 20902
===========================================================================


-=-


Forwarded from: Mike Fratto <mfratto () nwc com>

> Take Slammer last year, for example.  Infrastructures that did not
> expose UDP port 1434 to the Internet were not infected by the worm.

This is a classic mistake about worm propagation. Border protection
does diddly squat when a remote user connects via some form or remote
access to the internal network or simply walks in the door and plugs
directly in. I picked up Welchia on a W2K system running in VMWare
that I *only use* to connect to my company's network. The infection
vector works both ways.


-=-


Forwarded from: "Bill Scherr IV, GSEC, GCIA" <bschnzl () cotse net>

Folks...

   All vulnerabilities were zero-day exploits at one time.  Thats the
rub.  Zero Days after disclosure, the vulnerability was not known!  X
issue existed, and allowed what ever badness to be perpetrated, but
was not widely defended.

   It is a fact of running today's IDE generated software.  But hey,
IDE's cut costs so the managers get paid...

   Even for the diligent (i.e. Debian Linux) there is risk.  The key
is to minimize services, and watch your systems 24/7/365.  Of course
that job is easier if you have a multi-vendor, or non-vendor trained
administrator.  That person can pick and choose components with an
informed eye, and combine them into interlocking fields of defense-in-
depth.  If you're not sure, hire the guy that built his own command
line based computer...

B.


On 22 Dec 2003, this text appeared purporting to belong to InfoSec

Date sent:              Mon, 22 Dec 2003 04:24:58 -0600 (CST)
From:                   InfoSec News <isn () c4i org>
To:                     isn () attrition org
Subject:                RE: [ISN] InfoSec 2003: 'Zero-day' attacks 
seen as growing threat (Three messages)

Send reply to: InfoSec News <isn () c4i org>

> Forwarded from: Harlan Carvey <keydet89 () yahoo com>
>
> Rob,
>
> > I don't know about you but zero-day exploits frighten me.  Theyre
> > absolutely terrifying.  I think we should either (a) nationalize
> > the computer security industry or (b) dismantle the Internet as a
> > national security threat.
>
> I guess I can understand your point of view, but what about defense
> in depth?  Looking at the entire security picture as a whole, it
> would seem the even zero-day exploits may be extremely difficult to
> deploy *IF* more folks take a more comprehensive approach to
> security.
>
> Take Slammer last year, for example.  Infrastructures that did not
> expose UDP port 1434 to the Internet were not infected by the worm.  
> Looking further back, folks running IIS 4.0 who'd taken the step to
> disable ida/idq script mappings were not infected with Code Red.  
> These aren't necessarily zero-day exploits, but the worms do
> illustrate the lack of vision with regards to security.
>
>
> -=-
>
>
> Forwarded from: Jon Miller <cio.ny () usa net>
>
> These "zero day" exploits are finding previously unknown ways to do
> the same nasty things. Fortunately these nasty things are (or at
> least have been) finite.
>
> It seems to me that a behavioral approach is now as fundamentally
> necessary as as traditional signature based AV. Used in conjunction
> with eachother, they offer a defense in depth approach to layered
> security that can mitigate against patch latency and previously
> unknown exploits of vulnerabilities.
>
> Simply put, I don't care what mode of transportation a burglar takes
> to my house, I just don't want him to get in - or if he does, to
> take anything or do any harm.
>
> About that dismantling of the Internet...  Let's also ban all food
> additives, some may be bad - let's eat it all right away!  :)
>
>
> ---
> Jon Miller, CISSP
> Chief Information Security Officer
> The City of New York, HRA
>
>
> -=-
>
>
> Forwarded from: Barb  <ndex () mail c2security org>
>
> There is a commercial NIDS product that does anomaly based
> detection.  It is fast and good, but I dislike the manufacturer so I
> will not plug them.
>
> Only the people who don't know that Zero-day exploits have been
> around since the beginning of the computer age and are also in a
> position to make IT/security policy scare me.
>
> They outnumber the knowledgable, skilled and talented by hundreds to
> one.  They are more of a problem than a solution.  They are the ones
> to stupid, vain or lazy to use a proper password or secure shell
> services.  They are the lame.  They should be banished from
> cyberspace...
>
>
>
>
> -
> ISN is currently hosted by Attrition.org
>
> To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
> in the BODY of the mail.


Bill Scherr IV, GSEC, GCIA
EWA / Information & Infrastructure Technologies
National Guard Regional Technology Center / Norwich Campus
Northfield, VT  05663
802-485-1962




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.