RE: Scanning a system with HIPS installed?

[dcdave () att net]

 This raises an interesting question.

If the HIPS is functional and up to date and compliant with your network requirements for security, why shouldn't you 
allow it on the network? It probably wouldn't be subvertible by other sources, right?
Wrong. I can think of at least three good ways to subvert a machine on a network running its own HIPS.
One of the most simple and dangerous is that, based on the original concepts of the NCSA in the Orange Book, there are 
three basic legs to information security. Only one composed of the actual electronics and networks.
Ask any pen-tester with experience in the real world, especially in social engineering, and you will find that the 
other two legs, Physical Security (physical access to the computing resources) and Personnel Security (the ability to 
feel that due diligance has been done to assure the integrity of the personnel who are authorized to access the 
computing resources) are equally important.
So, the location of the laptop plugging in, and the amount that you know of the person operating it are trul;y 
important considerations. Hackers and corporate spies (not to mention the other kind) really do use these methods to 
invade a network.

I have always felt that if a network's security were MY responsability, I would NOT allow any uncontrollable factors 
onto it. In the real world, there are many shades of gray, both in liabilities and culpabilities, and ultimately one 
may have to follow orders. If so, get them documented and signed....

Dave Druitt
--
CSO 
InfoSec Group 
703-626-6516 



-------------- Original message from "Sutton, Paul A." <SuttonP () aafes com>: -------------- 


> You would not be able to manage that laptop. Who is going to perform 
> security updates on the OS and ensure their AV is and remains current? 
> What software are they bringing into your network? Unless you have a 
> guest network no computer that you cannot manage should not be allowed 
> on your network. 
>
> Paul Sutton 
> Network Data Security Analyst 
> IT-G IT Security Management 
> 214-312-6376 
>
>
> -----Original Message----- 
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] 
> On Behalf Of Albert R. Campa 
> Sent: Monday, December 03, 2007 1:14 PM 
> To: pen-test () securityfocus com 
> Subject: Scanning a system with HIPS installed? 
>
> As far as allowing visitor laptops on your network, when you scan a 
> laptop you would disable any HIPS/Firewall system that is installed so 
> as to perform a full scan. 
>
> Is there a major reason to not allow a laptop on the network if you 
> could not disable the HIPS(because of admin rights) and just scanned 
> it with HIPS running? 
>
> thx 
>
> ------------------------------------------------------------------------ 
> This list is sponsored by: Cenzic 
>
> Need to secure your web apps NOW? 
> Cenzic finds more, "real" vulnerabilities fast. 
> Click to try it, buy it or download a solution FREE today! 
>
> http://www.cenzic.com/downloads 
> ------------------------------------------------------------------------ 
>
>
> ------------------------------------------------------------------------ 
> This list is sponsored by: Cenzic 
>
> Need to secure your web apps NOW? 
> Cenzic finds more, "real" vulnerabilities fast. 
> Click to try it, buy it or download a solution FREE today! 
>
> http://www.cenzic.com/downloads 
> ------------------------------------------------------------------------ 

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------