[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1059525417.3695.207.camel@el-cap>
From: DARREN.L.BENNETT at saic.com (Darren Bennett)
Subject: Avoiding being a good admin - was DCOM
RPCexploit (dcom.c)
***BEGIN RANT***
The current IT attitude is really frustrating!
A "good admin" is one that ENABLES services and systems to be USED by
individuals. This relatively new attitude of disable/disallow/distrust
is a bad way for the IT world to be moving. The statement "screw the
students" is very depressing. I'm glad the Internet was developed with
the opposite attitude. When systems are so poorly secured (and so
DIFFICULT to keep secure) that the "solution" is to cripple other
features, then another resolution is needed. Watching the Internet and
the IT profession over the past few years has been increasingly
depressing.
When a company's program or protocol is vulnerable, shutting down that
program would be a better option than disabling the port/service/etc.
I.E.: Exchange is vulnerable to viruses so don't allow .exe and .bat
attachments.
If a system can't be patched without a reboot then something needs to be
changed. At the rate we are going, we will be back to snailmail and a
notepad.
Let's hope that the admins and the software manufacturers both step up
to the plate and learn to take some responsibility. How? Well, 95% of
all the "hacks" are done to systems using KNOWN vulnerabilities that
simply were not patched because of incompetent or lazy sys-admins (maybe
the fact that we have "dummed down" our server interfaces isn't all good
after all). Of these exploits, many (most?) were the result of poor
coding and bounds checking that was then exploited in the form of buffer
overflows. Yeah, we can't stop them all.. but many of these show true
negligence (if we could hold software manufacturers to the same
standards as auto makers, we'd have a lot more product recalls and a lot
better stability and security..the Firestone incident would pale in
comparison) Would it cost more? Maybe, but doubtful. The cost of
DOS/Hacks/downtime coupled with "cheaper" but incompetent admins is very
very high as well.
-Darren
On Tue, 2003-07-29 at 13:51, Ron DuFresne wrote:
> On Tue, 29 Jul 2003 Valdis.Kletnieks@...edu wrote:
>
> > On Tue, 29 Jul 2003 13:14:49 EDT, Jason <security@...enik.com> said:
> >
> > > Wrong, the cost benefit does work out for the business. We are at 3.9
> > > million because we did not pay attention to the assets that needed
> > > protecting and implement best practices. At 3.9 million we are still
> > > under the extremely conservative $4million estimate from one single outage!
> >
> > You can harp on "best practices" all you want - hell, *I* certainly do
> > it enough. However, you have to come to some realizations here. All
> > "best practices" cost something to implement. And at some point, the
> > cost of prevention is going to exceed the cost of cleaning up.
> >
> > And at this point, the boss asks "So what are the chances we'll make
> > it through the entire rest of the fiscal year without having to blow
> > *another* $1.3M, compared to the chances we'll get wormed before the
> > next advisory comes out?"
> >
> > Remember - we're up to MS03-*030* and it's still July. At $1.3M per,
> > you've burned some $39M already to protect against a $4M threat.
> >
> > Security is *tradeoffs*. Do I wish all my users were patched against
> > MS03-026? Yes. Do I think some will get trashed by whatever worm comes
> > by? Yes - the last worm nailed 200 boxes or so before we got specific
> > router filters in place.
> >
> > However, when the cost of forcing *all* the users to upgrade exceeds
> > the cost of cleaning up the 200 that will get whacked, it's *REAL*
> > hard to get resources allocated - I've never net a VP-level exec
> > that would agree to the idea that they should spend $2M to protect
> > against a $500K threat because it's "best practices". The only ways
> > you'll get your $2M is to either make it under $500K instead, or something
> > raises the $500K (for instance, if "liable for a $1.5M fine under the newly
> > passed protection-of-private-law" gets added in...)
> >
> > Anybody who can't understand *that* probably doesn't get the joke
> > about a $200 chip protecting the $0.75 fuse by blowing up first....
> >
> >
>
> Still the best defensive porture is taken at the entrance and exit points
> as pertains to most all these 'services'. If the ports 135 and 1433 etc
> are blocked, both tcp and udp protocols, then patching becomes far less
> dramatic, even if a few machines inside get infected due to laptops or
> what have you. when the flow on the wire for a segment starts to impact
> the other segments on the network, then, pull that segment and rush and
> and fix what's needed to get things up again in short order. Then again,
> patch at leisure. Barring a strong network perimiter, you become
> dangerous not only to others on your inside, but, everyone else out here.
>
> Screw the students that are in a programming class and can't get their
> toys to work across the borders, and their professors, they have to
> understand, or be made to understand that there are reasons that the
> policy that is in effect is so for a reason.
>
> The higher up that tries to cut costs and make his claim as an asset that
> can't be afforded to be lost, rather then doing so as most profs do by
> reaserch and publishing, well the old 'useless' equipment just became the
> test network for that comp sci dept, firewalled off from the rest of the
> network of course, well not in texas, they all need room to spread their
> funk on the wires and gateways outside their domain...
>
> Thanks,
>
> Ron DuFresne
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "Cutting the space budget really restores my faith in humanity. It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation." -- Johnny Hart
> ***testing, only testing, and damn good at it too!***
>
> OK, so you're a Ph.D. Just don't touch anything.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
--
-----------------------------------------------
Darren Bennett
CISSP, Certified Unix Admin., MCSE, MCSA, MCP +I
Sr. Systems Administrator/Manager
Science Applications International Corporation
Advanced Systems Development and Integration
-----------------------------------------------
Powered by blists - more mailing lists