| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3F268EC9.2723.3259F04@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: DCOM RPC exploit (dcom.c)
"Admin GSecur" <admin@...ernmentsecurity.org> wrote:
> I completely agree, unfortunately this is a constant problem in any
> enterprise size network. So many times it only takes a less experienced
> network admin to bring a network to it's knees.
True, but even that can be mitigated somewhat -- of course, it costs
money and reduces the "flexibility" that computers are "expected" to
provide so few apparently even consider it...
> Personally I have found an aggressive and continuous network auditing
> policy by the corporation can help negate any difference in security
> levels among the large number of servers and devices on their network.
> But so many times the corporation doesn't want to spend the capital on
> the manpower needed. (Even if it is for a single additional body)
Managed switches, strict MAC-to-port mapping, etc, etc. Yep -- costs
money to set up (more expensive hardware) and a little more _initial_
admin time, but it pays back in spades. Worried about stray (or any!)
WLAN APs turning up inside your network? Well, if their Ethernet MAC
can't talk to any of the LAN, it can't cause any more damage than to
the person or persons conniving _against policy_ and thus liable to
being reprimanded, lose bonuses, be fired etc _when_ caught (note, not
"if" because your auditing will tell you an unknown device was plugged
into a specific outlet in a specific office/cubicle/etc -- an act you
can make a policy violation in itself!). Worried about contractors and
consultants who drag their laptop all round other people's network then
plugs into yours? Don't give them service until their machine has been
through a specified vetting process. Costs a bit of time at their
outrageous charging rates, but is your network security really _not_
worth that effort? Worried about that unauthorized ("black ops")
server the guys in accounting have slipped in the backdoor? You need
not. It can be done -- it simply takes a bit of structure and
management which is what I've always thought being a system
administrator was all about.
> Another common problem is the random "orphaned" server that was
> installed with out the NOC ever knowing. So many times this single
> neglected machine can cause the downfall of even the tightest network.
True, but not in a well-designed and administered environment. The
idea that any one should be able to connect any device to the LAN was
maybe just acceptable in certain environments _BEFORE_ those LANs were
attached to the completely inappropriate to task "modern Internet".
Such a network "structure" is utterly unacceptable in today's world of
massively increased connectivity, massively increased staff
accessibility to computers (both at work and elsewhere), massively
increased mobility of the enterprise's computers and the fabulous
arrogance shown by the preferred supplier of the OS running most such
computers in ignoring entirely for the about 5-6 years the complete
change in the security and system integrity landscape the massive
acceptance of "the modern Internet" should have entailed.
> So are the woes of an enterprise admin.
...if s/he is under-resourced. It need not be the way you describe at
all. It can be done _much_ better with a relatively small initial
commitment to "doing it properly". Of course, most enterprise systems
start off with the "is there a cheaper option" attitude. In a
"manufacturing" type operation, such a question tends to have a
(relatively) low opportunity cost should it turn out that the cheap
route leads to too many failures (you switch to the slightly more
expensive but better quality inputs, suck up the cost of recalling or
otherwise replacing the already shipped stock and perhaps push up the
price a bit). However, if what you scrimped on was "infrastructure"
fixing it nearly always entails pulling out great gobs of now largely
useless and valueless plant and replacing it with more expensive but
better fit equipment. Thus taking the cheap route on infrastructure
such as networking equipment, operating systems, network security and
so on becomes a hugely expensive thing to "fix properly". Thus we tend
to see band-aid fixes such as firewalls, IDSes, antivirus software and
all manner of other things that should be largely unnecessary were the
system they are going into "properly designed" from the start. (This
is not say that those things might not have _some_ value in a properly
designed and maintained system, but they certainly should not be the
security "front line" in enterprise systems. Of course, for the SOHO
market, such band-aids may be the only viable solutions given there is
not (enough) money to hire the best trained and equipped professional
sysadmin staff nor can the initial setup overhead of "doing it
properly" be justified against the size of the userbase and/or the
value of the "operation".)
Of course, convincing a bean-counter of the value of taking a longer-
term view of such issues is really difficult and almost exclusively you
will only ever find such principles applied in practice at _extremely_
sensitive installations and at large corporations that have been "hit"
very severely because they got it wrong the first time. After seeing
the lack of value of scrimping on critical infrastructure there is a
tendency for upper management backing for "doing it right" the second
time around. I guess that this is almost exclusively how it is means
the "it won't happen to us" attitude is alive and well in the halls of
corporate governance...
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists