Message-ID: <9AD9D61578B84144912BCB44CBEF9EAD0700E6C6@usnssexc03.us.kworld.kpmg.com>
From: kenng at kpmg.com (Ng, Kenneth (US))
Subject: Re: Microsoft Security, baby steps ?

Totally agree.  There is no magic bullet for security, especially on a large
network.  You can have firewalls guarding the outside, run Anti Virus
against the mail servers, the file servers, and all the desktops.  How about
consultants coming in?  How about vendor demos that need to be plugged into
the network?  How about appliance servers where the vendor claims "you don't
need to patch this", and they are really running W2K with no service packs
wide open with every service known to mankind enabled?  How about
applications that break because they depend on the MSSQL SA password being
blank?  How about those network aware copiers or fax machines or distributed
door locks or HVAC (really) systems?  Nothing will catch everything.  Anyone
who says so is selling snake oil or hiding management nightmares.  Yes
firewalls and other related hardware help.  We also need software vendors to
stop giving lip service to security and start actually implementing it.  We
need software vendors to start publishing network protocols so that
firewalls can actually look at the traffic and make intelligent decisions.
We need software and hardware vendors to stop saying "security is not our
problem".

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Schmehl,
Paul L
Sent: Thursday, March 18, 2004 11:18 AM
To: full-disclosure@...ts.netsys.com
Subject: RE: [Full-Disclosure] Re: Microsoft Security, baby steps ?


> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com 
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of 
> Full-Disclosure
> Sent: Thursday, March 18, 2004 2:17 AM
> To: full-disclosure@...ts.netsys.com
> Subject: RE: [Full-Disclosure] Re: Microsoft Security, baby steps ?
> 
> In an corporate environment, you will have SUS or SMS 
> running. If so, no need for internet access.
>
I'm seeing statements like this more and more, on this list and others,
and it's really starting to bug me.  (Not picking on you personally.)
Most of the attacks on corporate boxes come from the inside.  Blocking
internet access does very little to protect you.  Don't believe it?
Then explain how Slammer and Sobig and Mydoom and Nachi and Blaster
managed to spread in corporate environments that have very good
firewalling.

Putting up a firewall is one small step in a very large process that
gets you some semblance of security.  You are not "safe" simply because
the firewall is up and running.  All it take is *one* improperly
maintained box on the inside to be compromised/infected, and the hacker
is off to the races.  What will SUS/SMS do for you then?

By all means, automate patching.  But for god's sake, don't think that
once you've done that you're done!  You've only just begun.
 
Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


*****************************************************************************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.         
*****************************************************************************

Powered by blists - more mailing lists