lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <C2451D6C.1BCDA%simon@snosoft.com>
Date: Fri, 13 Apr 2007 11:43:40 -0400
From: Simon Smith <simon@...soft.com>
To: Jamie Riden <jamie.riden@...il.com>,
	<steven@...urityzone.org>
Cc: funsec@...uxbox.org, botnets@...testar.linuxbox.org,
	full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: A Botted Fortune 500 a Day

Just to add my two cents...

The fact is that the cost in damages of a single compromise is usually far
greater than the cost of implementing and maintaining good security. TJX is
a golden example of that.


On 4/13/07 11:05 AM, "Jamie Riden" <jamie.riden@...il.com> wrote:

> Hi Steven,
> 
> I believe security of an organisation is orthogonal to the number of
> employees/users and how savvy they are. It depends more on the will
> and resources to secure the network properly. Two, corporations do
> have many financial incentives to make sure they are secure - if they
> are doing their risk analyses properly, they can see that. So, yes I
> do expect them to fare better - a lot better - than ISPs. More
> comments are in-line.
> 
> On 13/04/07, Steven Adair <steven@...urityzone.org> wrote:
>>> On 13/04/07, Steven Adair <steven@...urityzone.org> wrote:
>>>> Is this in anyway surprising?  I think we all know the answer is no.
>>>> Many
>>>> Fortune 500 companies have more employees than some ISPs have customers.
>>>> Should we really expect differently?
>>> 
>>> Yes! Off the top of my head:
>>> 
>>> 1. Corporations should have more of an economic incentive to prevent
>>> compromises on their internal networks. E.g. "TJX breach could cost
>>> company $1B" -
>>> http://weblog.infoworld.com/zeroday/archives/2007/04/tjx_breach_coul.html
>>> Now, a typical spambot will cost almost nothing compared with that,
>>> but the point is you don't know the extent of the compromise until
>>> you've examined the machines involved.
>>> 
>> 
>> You list incentives but this doesn't mean I should really expect any
>> differently.  You are also equating a compromise into TJ MAXX servers for
>> which details have not been given.  I doubt and hope the same user that's
>> an account for TJ MAXX and using e-mail isn't conencted or able to get to
>> a server that processes credit card transactions.
> 
> A compromise is a compromise and you don't know the extent until
> you've looked at everything. If one of your machines is spewing spam,
> how do you know it is also not leaking confidential data to a third
> party? Any compromise has the potential to be *extremely* costly.
> 
>>> 2. Corporations have a lot more influence over their employee's
>>> behaviour than ISPs do over their customers. Customers can walk away
>>> to a new ISP with minimal fuss if sanctions are threatened.
>> 
>> Well this is true but you seem to be missing the point of the comparison.
>> These are large corporations with tens of thousands (some more, some less)
>> that are geographically dispersed across the countries.  This isn't a
>> small shop of 50 elite IT users.  This is probably like most other places
>> were 90% of the users can barely use Microsoft Word and Excel.  Once
>> again.. do I expect differently? No.
> 
> There is no reason for an admin to let users compromise the company's
> security. If the company cares about security, they can disable admin
> rights, lock down the firewall and run an IDS.
> 
> I can buy the argument that most companies don't care sufficiently,
> but this is really orthogonal to the number and experience level of
> their users.
> 
>>> 3. Corporations can lock down their firewalls a lot tighter than ISPs
>>> can. If my ISP blocked the way my employer does, I would be looking
>>> for a new ISP.
>>> 
>> 
>> Sure they can in some instances.  How would locking down a firewall stop
>> this e-mail from going out?  Maybe you can lock down SPAM firewalls but
>> that doesn't stop the root cause.  You have 100,000 users at a Fortune 500
>> company with admin access to their Windows laptops.  Are you going to
>> block them form using the Internet and using e-mail?  If not I am going to
>> continue to expect them to keep getting infected.
> 
> Block the infection vectors: screen email, http and ftp traffic. No
> personal laptops on company networks. No admin rights as far as
> possible. Monitor and react to new vectors and threats as they arise.
> 
> Yes, I would disable people's Internet access - in fact all intranet
> access too. My main interaction with Cisco kit to date is shutting
> down Ethernet ports and re-enabling them after the problem has been
> resolved. If there's an incident, the plug gets pulled until someone
> has examined the machine, and if necessary reinstalled from known good
> media.
> 
>>> 4. ISPs don't own the data on their customer's computers. Corps very
>>> much do own most of the data on their employees computers. Therefore
>>> they need to worry about confidentiality in a way that ISPs do not.
>>> 
>> 
>> Well usually corporations not only own the data on the machines, they own
>> the computers themselves as well.  You are equating a need and want for
>> protection with what would really be expected.
> 
> They have a financial incentive to look after their machines, so I do
> expect them to look after them. An ISP has no such incentive to look
> after their customer's machines.
> 
>>> I used to look after security at a large-ish university and odd
>>> activity would stand out because there the baseline was largely
>>> 'normal' traffic. ISPs have little chance to detect 'odd' behaviour
>>> because everyone is doing 'odd' things. Corps should only have a very
>>> few 'odd' things happening on their networks and a single outgoing
>>> portscan or IRC session are grounds for serious concern. (Assuming IRC
>>> is forbidden by policy - if not, you can still profile the IRC servers
>>> you expect to be talking to and those you don't.) It's not hard to
>>> find infected machines at a corp.
>>> 
>> 
>> Not sure last time you ever looked at XDCC/iroffer bots, but they can
>> range from 10-50% .edu hosts.  Universities are ripe for the picking.
>> I've participated in UNISOG related lists and I know it's getting better
>> and just like any organization it can very from location to location.  I
>> don't expect anything different here either.
> 
> Yes, I've seen that. Having not worked at any of those particular
> university, I can't comment on their setups. We immediately pulled the
> plug on the occasional bots we had on our network. (If you're allowing
> personal gear onto your network you will always get a few incidents.)
> 
>> There's a field in most mail programs where you can enter in an
>> SMTP/IMAP/Exchange address etc.  This allows you to send e-mail using that
>> server.
> 
> Not any networks I configure. You have to be internal, or you have to
> authenticate - or no email.
> 
> My favourite quote at the moment is: "there are people who will try
> anything to secure their networks, except design them correctly,
> control the access levels within them, segment their networks,
> understand their traffic, and monitor things closely." - Marcus Ranum.
> Securing a network is not a black art any more, it just requires a lot
> of corporate willpower to implement a useful security policy.
> 
> cheers,
>  Jamie


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ