nanog mailing list archives
Re: FW: Cost of Worm Attack Protection
From: "Alexei Roudnev" <alex () relcom net>
Date: Thu, 13 Nov 2003 23:00:32 -0800
There is one common rule - if you react on something (worm, for example), never overreact. This means that, yes, in many cases it is much more effective _do absolutely nothing_ vs. _ proactive and aggressive prevention_. few examples from other areas: - Medicine - Allergy can kill; and allergy is overreaction; - Politics - 9/11 - if USA did absolutely nothing, even if no one airway company changed their security procedures, it could be more effective, than what was done (full time paranoia, 2 wars, huge loses in industry; huge inconvenience for travellers...). The same approach works here. Some level of prevention is useful. It was useful to block bad ports on the week of last worm. It could help (and helped) updating desktop systems, installing rate limit for a few kinds of traffic, blocking fraud SRC addresses. But, if someone installed numerous restrictive filters (for example, forbidding all file sharing between desktops, allowing it for servers only) - the cost of such thing could be much more, than the cost of _doing almost nothing_. In many cases, security updates was more dangerous, than worm itself... There are cases, when such _proactive activity_ required. This are cases, when harm of the worm / virus can be unlimited - leaking of the yodlee.com (for example) database can effectively ruin the whole company, so no any cost of prevention looks too high. We can always find another examples. Unfortunately, in 90% cases we just see different kinds of paranoia, which makes cost of _prevention_ higher than cost of possible damage. Alexei Roudnev ----- Original Message ----- From: <kgraham () rogers com> To: <nanog () merit edu> Sent: Thursday, November 13, 2003 1:40 PM Subject: Re: FW: Cost of Worm Attack Protection
It would be great not to spend any money and let the worms run their
course. But when you have to deal with downed production at the cost of give or take possibly 500K per attack it unfortunately cannot be done without one loosing their job. The last worm that spread throughout enterprises mentioned having to reinstall the entire server. If that server is a critical production server what would you do?
Would spending 100K prevent the attack, very likely not. Would spending
100K help track the offending machine(s) and enable someone to remove them from the network until they are serviced, possibly?
Would this help keep production rolling, possibly? The installation management and response time needed to implement an IDS
solution does have to be investigated to see if the ROI comes in line with the cost. The ROI would need to include any saved downtime. If someone has this information please pass it along.
A nicer solution would be an operating system that does not need a
critical patch every other week, due to it's exploitable nature.
Yes I am dreaming :) KimFrom: "Braun, Mike" <MBraun () firstam com> Date: 2003/11/13 Thu PM 03:02:59 EST To: "'nanog () merit edu'" <nanog () merit edu> Subject: FW: Cost of Worm Attack Protection The old saying of "you get what you pay for" seems to be well directed
when
it comes to this topic. If you're willing to allocate $100K more than
you
currently spend to mitigating the effects from Worms and Viruses, I'm
sure
you will have some increased success. If you allocate 1 mill more, your success will increase substantially. The true cost really boils down to what you are trying to protect, such as how many servers, users, network segments, and other critical devices you are willing to encompass in
your
protection plan. Also, you may be able to mitigate the cost by using
the
functionality built into devices you may already own. A good protection schema needs to address the use and benefits from the following:
Firewalls,
VPN tunnels and policies, HIDs, NIDs, Antivirus software, and a good
network
security policy that grows with your network. You may already have most
of
this in place and need only a little extra funding allocated to give you
the
protection level you feel comfortable with. If you're looking for pricing on each component, they will vary widely depending on the brand and model you go with. You should shop around
for
components that suit your budget. An example of this price variance can
be
found by looking at a Net Forensics project priced at $500k compared to
a
similar solution going will Network Intelligence at $40K. The Network Intelligence solution may not have all the functionality offered by Net Forensics, but it may be enough for your needs. Best of luck in fighting this ever growing problem, Mike Braun -----Original Message----- From: sgorman1 () gmu edu [mailto:sgorman1 () gmu edu] Sent: Thursday, November 13, 2003 7:59 AM To: Joel Jaeggli Cc: nanog () merit edu Subject: Re: Cost of Worm Attack Protection Good point - then what is the cost of attempting to mitigate or handle attacks vs. doing nothing? ----- Original Message ----- From: Joel Jaeggli <joelja () darkwing uoregon edu> Date: Thursday, November 13, 2003 10:14 am Subject: Re: Cost of Worm Attack ProtectionI haven't seen any network or customer site that has protected itself from worms... only mitigated them. joelja On Thu, 13 Nov 2003 sgorman1 () gmu edu wrote:I was hoping to get some estimates from folks on the costs ofdefending> networks from various worm attacks. It is a pretty wide open question,but if anyone has some rough estimates of what it costs per edge, manpower vs. equipment costs, or any combination thereof itwould be ofgreat assistance. We are doing some simulations of attack anddefense> strategies and looking for some good metrics to plug into a cost benefitmodel. We'd be happy to share the results if anyone isinterested aswell. Thanks in advance, sean-- ------------------------------------------------------------------- ------- Joel Jaeggli Unix Consulting joelja () darkwing uoregon edu GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2"MMS <firstam.com>" made the following annotations on 11/13/2003 12:03:21 PM--------------------------------------------------------------------------
----
"THIS E-MAIL MESSAGE AND ANY FILES TRANSMITTED HEREWITH, ARE INTENDED
SOLELY FOR THE USE OF THE INDIVIDUAL(S) ADDRESSED AND MAY CONTAIN CONFIDENTIAL, PROPRIETARY OR PRIVILEGED INFORMATION. IF YOU ARE NOT THE ADDRESSEE INDICATED IN THIS MESSAGE (OR RESPONSIBLE FOR DELIVERY OF THIS MESSAGE TO SUCH PERSON) YOU MAY NOT REVIEW, USE, DISCLOSE OR DISTRIBUTE THIS MESSAGE OR ANY FILES TRANSMITTED HEREWITH. IF YOU RECEIVE THIS MESSAGE IN ERROR, PLEASE CONTACT THE SENDER BY REPLY E-MAIL AND DELETE THIS MESSAGE AND ALL COPIES OF IT FROM YOUR SYSTEM."
============================================================================ ==
Current thread:
- Re: Cost of Worm Attack Protection, (continued)
- Re: Cost of Worm Attack Protection Sean Donelan (Nov 13)
- Re: Cost of Worm Attack Protection sgorman1 (Nov 13)
- Re: Cost of Worm Attack Protection Jared Mauch (Nov 13)
- Re: Cost of Worm Attack Protection Valdis . Kletnieks (Nov 13)
- Re: Cost of Worm Attack Protection Tony Rall (Nov 13)
- Re: Cost of Worm Attack Protection Jared Mauch (Nov 13)
- Re: Cost of Worm Attack Protection kgraham (Nov 13)
- FW: Cost of Worm Attack Protection Braun, Mike (Nov 13)
- Re: FW: Cost of Worm Attack Protection Sean Donelan (Nov 13)
- Re: FW: Cost of Worm Attack Protection Rob Thomas (Nov 13)
- Re: FW: Cost of Worm Attack Protection Sean Donelan (Nov 13)
- Re: FW: Cost of Worm Attack Protection kgraham (Nov 13)
- Re: FW: Cost of Worm Attack Protection Alexei Roudnev (Nov 13)
- RE: FW: Cost of Worm Attack Protection Braun, Mike (Nov 13)
- Re: FW: Cost of Worm Attack Protection sgorman1 (Nov 13)
- Re: FW: Cost of Worm Attack Protection Sean Donelan (Nov 13)
- Re: Cost of Worm Attack Protection Jamie Reid (Nov 13)
- Re: FW: Cost of Worm Attack Protection sgorman1 (Nov 13)