[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F26D7D6.9080704@brvenik.com>
From: security at brvenik.com (Jason)
Subject: Avoiding being a good admin - was DCOM RPC
exploit (dcom.c)
Michal Zalewski wrote:
> On Tue, 29 Jul 2003, Jason wrote:
>
>
>>Given a conservative half a day downtime for only 100,000 of the more
>>likely 150,000 employees at a very conservative average burden of $10
>>per hour you have spent $4,000,000 in productivity losses alone. This
>>completely ignores costs like lost data, lost confidence, work that has
>>to be redone...
>
>
> A-ha, so all of the 150,000 employees maintain a constant rate of
> "productivity", and are at a hundred percent of their output capacity, so
> that a downtime will cause an irreversible loss they cannot compensate for
> by skipping one coffee break after an incident (incidents like this
> occuring not particularly often)? And all perform a work that will be
> disrupted by an outage?
[snip]
>
> For most companies, an incident like this once in a while is just an
> inconvenience. For that reason, they would not consider spending enormous
> amounts of money on a better staffed and better educated IT department and
> constant monitoring of the threats. Worm comes, worm goes, big deal.
>
I agree that historically most classic worms will have a negligible
impact on the business, especially the outlook/mass mailing type worms.
This is changing rapidly, we had increasing warnings with explorer32
then code red then nimda then saphire/slammer...
Most of the worms that cause widespread impact and outage take advantage
of poorly configured systems or unpatched systems or a common breakdown
of the human part of fixing after following the failure of the technology.
In the case that was presented the worm resulted in a widespread
sustained outage for most of the affected organizations lasting one to 2
days before network services were usable and had hold out segments and
resurgence in areas for up to weeks. This was 6 months after it hit mind
you.
I used low sweeping numbers to represent the case in general to not have
to consider all of the possibilities. That is an entire effort itself
and does not do well in mail, especially when there are extra 0s and no
coffee pumping in my veins. It was to illustrate the point that is costs
less to suck it up and do it before and not after the fact.
I find it hard to believe that during the next technology refresh best
practices in building these images and disabling these unneeded services
by default cannot be done. I also find it hard to believe that this
could not have been done in the last technology refresh bringing us to
win2k. Especially for a company with 150,000 systems.
I think that there is no excuse for accepting an answer that it can not
be done when there has been information readily available for years
showing how to do it. It is an education effort and exercise in
diligence that may ultimately make a few decide to change industries.
In doing this we will be able to handle most potential worms with this
casual attitude of indifference because we will have an extremely
limited exposure.
The fact that these worms are becoming more aggressive and more
insidious and more common means that we need to start doing this a while
ago. The more this is done the less motivation there is to produce the
worm. The need for enormous amounts of money and IT resources and
constant monitoring will ultimately be reduced significantly as will the
cost of the gamble.
Powered by blists - more mailing lists