Re: ISS hatches 'virtual patching' plan (Three messages)

[InfoSec News <isn () c4i org>]

[Due to some technical problems beyond our control, the editiing of 
these messages might be a little munged, along with the PGP signature 
on the last reply.  - WK]


Forwarded from: Michael J. Reeves <michaeljreeves () attbi com>

This brings up an interesting point regarding add-on software.

HOW much attention is paid to the alerts and logs???

The other day, I d/l'd a file and saved it. My Firewall and Anti-Virus
did NOT detect any problem with the file. I opened it expecting one
thing, and nothing appeared to happen. Closer examination revealed
that it was a *.SCR file. Missed that!!!

My firewall notified me that a NEW program was trying to access the
internet, and asked should I "BLOCK" access. This sent up a "RED-FLAG"  
for me!!! I instructed it to establish the BLOCK-RULE, and proceeded
to investigate.

Turned out is was a new variation of an old trojan,
BACKDOOR.LITMUS.203. Having some experience with this stuff, I
rebooted the system from a boot disk, moved the suspected files (now
2) into a safe subdirectory, and rebooted the system. I, then,
searched the REGISTRY and *.INI files for entries referring to these
files and deleted them.

I submitted the files to my Anti-Virus publisher for analysis with the
results noted previously as to the trojan. They are now updating their
definitions files.

The one thing that my Anti-Virus program did NOT do was to CHECK the
REGISTRY for entries indicative of KNOWN virus and/or trojans. Perhaps
this should be suggested???

    IMHO....

    MJR


InfoSec News wrote:


> http://www.nwfusion.com/news/2003/0526isspatch.html
>
> By Ellen Messmer
> Network World Fusion
> 05/26/03
>
> Internet Security Systems is readying technology it says could
> benefit companies fed up with current patch management techniques.
>
> More precisely, ISS will enable its vulnerability-assessment scanner
> to gang up with its network- and host-based intrusion-detection
> systems (IDS) to stop newly discovered attacks or worms that could
> damage unprotected servers or desktops on enterprise networks.


Michael J. Reeves, AA, ASc
MJR Consulting Services
Sacramento, California 95842
E-Mail: michaeljreeves () attbi com


-=-


Forwarded from: Steve Manzuik <steve () entrenchtech com>

http://www.nwfusion.com/news/2003/0526isspatch.html

If anyone needs to be concerned with patching its ISS but I don't
think that their new buzzword will get the job done.

> More precisely, ISS will enable its vulnerability-assessment scanner 
> to gang up with its network- and host-based intrusion-detection 
> systems (IDS) to stop newly discovered attacks or worms that could 
> damage unprotected servers or desktops on enterprise networks. 

The last time I tested ISS' host based "product" it did not work on
HP-UX, caused issues on Solaris installs, and blue screened 3 out of 5
Windows 2000 boxes.  Don't get me started on the unreliability of
their network based product either.

Too bad my client wasn't as amused with the failures as I was
considering they shelled out close to 100K for the ISS solution.  
Their scanner product is pretty good though, with all the keygens and
cracks floating around for it script kiddies seem to love it and with
all the false positives it generates the kiddies won't get anywhere.

With the high overhead created by using ISS products it almost makes
me wonder if patch management isn't cheaper.
 
> ISS CTO Chris Klaus calls the idea "virtual patching" because it
> could eliminate the need to immediately apply server or desktop
> software patches, which are often required to combat new attacks
> that exploit software holes. Instead of having to rush to patch the
> application or operating system software to stop a fast-moving worm
> from taking over vulnerable systems, ISS would be able to have its
> IDS ready to take certain steps to stop specific attacks aimed at
> the target machine.

A proper security framework already eliminates the need to rush out
and patch non-critical boxes.  Even with this "revolutionary" product
it makes sense for IT departments to patch critical systems.
 
> "Patching is unattainable. There's no Fortune 1000 company doing it
> across all its systems," contends Klaus, who points out that
> sometimes vendors stop supplying patches for their legacy products.
> "For instance, Microsoft is no longer supporting patching for
> Windows NT."

Does ISS Server Sensor even support and work on Windows NT?  Does
anyone have any success stories with this product on NT?  Patching is
not unattainable if the proper framework is put in place in the first
place. Proper processes can solve a lot of the patching issues.

> Next month ISS will add the virtual patching capability to its
> vulnerability-assessment tool, Internet Scanner 7.0, which runs on
> Windows 2000.

But Klaus mentioned NT above....
 
> Continuously updated with new attack information as it becomes
> known, Internet Scanner will examine Web servers, firewalls,
> operating systems, routers, switches, mails servers and other
> applications to determine where a variety of weaknesses reside. The
> product also will perform network discovery to locate network
> resources.

This is a neat idea but you will end up spending a ton of money
protecting not so critical boxes.  Its back to the old saying; "You
don't spend 1,000,000.00 to protect 1,000.

> Internet Scanner will no longer simply be a stand-alone tool, but
> will be able to take commands from the ISS management console,
> SiteProtector. Companies could then perform a scan when a new
> vulnerability or threat was identified, to see which machines could
> be hit. Then, based on the network manager's decision, SiteProtector
> would be able to instruct the ISS network-based sensor, RealSecure
> Network 7.0, or the host-based IDS, RealSecure Server 7.0 and
> RealSecure Desktop 7.0, to take certain steps. The host-based IDS
> could block access, based on a specific check or signature.

Yay!  Now your false positive prone ISS Scanner will not only confuse
your IT staff but begin blocking potentially legitimate traffic.  I
can see the increase in productivity already.

> Since traditional "passive" IDS products aren't in-line devices that
> can block large traffic streams, RealSecure Network 7.0 would be
> limited to instructing the firewall to block the attack through a
> process called shunning, or alternatively, terminating a session
> with TCP re-sets.

So this is different from the OPSEC features in RealSecure how?  How
is this going to protect internal desktops and servers from an
internal attack?  Oh, it won't?  So lets just call our desktops and
back end devices "honeypots" and everything will be fine.

> The virtual patching capability is coordinated with the debut next
> month of what ISS has dubbed The X-Force Catastrophic Risk Index
> that the company will issue periodically as a guide to the worst
> security threats and risks.

Wow, CATASTROPHIC RISK INDEX, this should send a chill up IT Security
Manager's spines everywhere.  Proper risk management employs more than
half broken technology.  Sorry to sound like a Final 4 firm but risk
management is a combination of people, process, and technology.  
Security is built in layers and reliance should not be placed on one
single device or technology. All ISS is doing here is setting their
customers up to become victims -- or was that honeypot researchers?

> While the virtual patching capability is still in testing mode, and
> it's not clear how well the idea will work in practice, there's
> little doubt that network managers are fed up with patching.

Their entire product line is still in testing mode.  ISS needs to fix
the multiple issues in their basic products before they try and sell
the world on their virtual patching service.  Granted my organization
is small, but I have about a dozen clients who were sold on ISS
products -- all but two have given up trying to make them work
properly.  What does that tell you?


Regards;


Steve Manzuik
Chief Technical Officer
Entrench Technologies Inc.
(403)663-1337 - office
(403)589-4430 - cellular
steve () entrenchtech com



-=-



Forwarded from: White Vampire <whitevampire () mindless com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Tue, May 27, 2003 at 02:03:48AM -0500, InfoSec News(isn () c4i org) 
wrote:


This is PR disguised as news.


<snip>
> "Patching is unattainable. There's no Fortune 1000 company doing it
> across all its systems," contends Klaus, who points out that
> sometimes vendors stop supplying patches for their legacy products.
> "For instance, Microsoft is no longer supporting patching for
> Windows NT."
<snip>


        Prove it.  Patching is unattainable, eh?  Windows workstations
can be set to reference a directory on a primary server within the NOC
and automatically install updates in the directory.  That is just one
way to do it.


        If said "patching" is not taking place, perhaps there are some
people out there who should start doing their jobs properly.


Regards,
- -- 
\   | \  /  White Vampire\Rem                |  http://gammaforce.org/
 \|\|  \/   whitevampire () mindless com        |  http://gammagear.com/
"Silly hacker, root is for administrators."  |  http://webfringe.com/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.5 (GNU/Linux)


iD8DBQE+05ba3+rxmnEDyl8RAtqLAKD0vSsHCZlriYO7CwFnn3gDp1N/dACfXIvN
U9z5ICL3U/mCPQnQTDQaOtI=
=hAXD
-----END PGP SIGNATURE-----



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.