Re: [Full-disclosure] Getting Off the Patch
I don't agree with the statement: From a security standpoint, patching is better than not patching. Period.. Sometimes patching is the right solution, often it is not. Since some asked experiences from larger companies, here is one: In 2001 I was responsible for maintaining all kinds of systems and services at a telephony and internet provider. One morning a list with our company name in it was mentioned in the radio news bulletins. We also found our name in this list in articles in newspapers. A hacker found we didn't install a patch on one of our web servers which ran IIS 5.0 on Windows 2000. The patch was available for about 3 months and the hacker claimed he could attack our server because of this specific patch missing. Because of his ethical standards he did not try to really attack the server but just publish about the shameful patching policies in large companies. Three years later, when a new website was developed, the server was replaced. The patch was still not installed. Even though we were in the radio news bulletins and news papers and the world knew about our vulnerable server, no successful attack occurred in all that time. O yes, they tried. I've seen it in our log files. But because other defense mechanisms, the known exploit did not work on our server. And since the web server was in no danger without this patch, we decided installing the patch would be a higher risk than leaving the server as is. I did not know about the OSSTMM in those days. If I did, I could have explained why patching is not always the best solution: it interferes with your operations. And if it influences you operations, you better control it. Not blindly execute it and install the patch using an automated update process, but actually control it. So the first thing to do is to decide if applying a patch is useful at all. And often it is not! E.g. why would you even consider to install MS10-085 on a http-only web server (MS10-085 apparently fixes an error in TLS handshake)? (Don't flame me on this one, it's just meant as an example). And if you concluded a patch is useful, then you decide if you do need to install it, or if it is not really necessary to install it. And if you install it, then decide if you do it manually, in a controlled manner, or use an automated update process, in an uncontrolled manner. The OSSTMM helps you to realize that an automated update process increases the attack surface, which better be controlled. Another option of course is to blindly install it, because you trust your vendor (you know, the one that provided buggy software in the first place). Then your not controlling, but trusting. Read chapter 5 in the OSSTMM to find out if that is wise for this particular vendor, or not. Bottom line is that patching interferes operations and therefore, from a security standpoint, it either has to be controlled or trusted. It is not always true that patching is better than not patching. So I would slightly like to rephrase that statement: From a security standpoint, thinking is better than not thinking. Period.. (Now would it surprise you if I told you that critical thinking is one of the starting points of the OSSTMM??. Cor Rosielle Chief Technology Officer -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full- disclosure-boun...@lists.grok.org.uk] On Behalf Of Thor (Hammer of God) Sent: dinsdag 18 januari 2011 19:39 To: valdis.kletni...@vt.edu; Cal Leeming [Simplicity Media Ltd] Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Getting Off the Patch On Mon, 17 Jan 2011 22:29:13 GMT, Cal Leeming [Simplicity Media Ltd] said: Most people wouldn't rely solely on patch day to protect their systems/network You're in for a surprise. One, as Cal pointed out, you cut out the context of what he said/meant. And two, so what if they do? At least they are patching. If security is the goal, then advocate for security in depth. From a security standpoint, patching is better than not patching. Period. If you have controls in place to mitigate exposure, then they should be combined with patching. Are you taking the position that the level of being surprised at the number of people who only patch dictates that they stop patching and try to successfully implement other controls so they don't have to patch? Playing whack a mole was entertaining, but in all seriousness, your responses to this thread have been confusing to me. Any security model that not only advocates non-patching, but that is designed with the intent of not patching is completely retarded. I defy anyone to provide verifiable evidence to the contrary that is not based on a server and a couple of workstations. Even the self-proclaimed marketing guy who admitted he didn't know how to patch couldn't come up with a single shred of substantiating research to support anything different. Comparing his research to Einstein and general
Re: [Full-disclosure] Getting Off the Patch
I would like to emphasize I was not telling not to patch at all. I said: Sometimes patching is the right solution, often it is not.. However, I did not explicitly tell I was trying to protect our own data/assets and not someone else's. So when your data is housed elsewhere, then what? Well, in that case you don't have to think about patching yourself. Your provider has to. And since the provider does not have to protect his own data, he can afford to make different considerations. He doesn't have to focus how his operations are best controlled, because he is not his own operations. So in his case, I would patch. Just to cover my ass. I would even state in my terms and agreements I would patch, so nobody could blame me that I do. I wouldn't envy my customers, because they can not fully control all parts of their own operations in this scenario. They simply have to trust me as a provider and I will prove to be trustworthy and keep up to the contract. So if something breaks then after patching, they can blame ... well, I actually don't know who they can blame. They can't blame me, because I did what I promised. It is not sure they can blame the vendor, because the patch was tested and proved to work for the majority in the world. Do they need to blame themselves? Nahh. Of course they don't blame themselves. If they can not blame anyone, it's just a case of bad luck. But it's definitely not their fault. Cor Rosielle Chief Technology Officer -Original Message- From: Jeffrey Walton [mailto:noloa...@gmail.com] Sent: woensdag 19 januari 2011 12:26 To: Cor Rosielle Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Getting Off the Patch Sorry about the top post - just one comment Bottom line is that patching interferes operations and therefore, Its a sad state of affairs when folks put other endeavors, such as uptime, above security. I can't speak for others but I hope my data is not housed at such a shop. If my data went out the e-door of such a shop, and the shop was not patching, then I would consider the shop's practices grossly negligent. It would be irrelevant to me who claimed it was OK for whatever reason. Jeff ... snip ... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Getting Off the Patch
Thor, Just a small response to make sure I'm not misunderstood. In 2001 I was working with a telecom and internet provider, a large company, and responsible for their internal systems and networks. I was not a CTO in those days. Today I'm a CTO, but in another company, doing security consultancy. I'm pretty sure (OK, call me arrogant) that if the box ever was hacked, it was not because of this bug that was reported unpatched. And finally, perhaps in those days I would have seen the OSSTMM as support for my decision (actually ours, because the security manager decided this together). Knowing the OSSTMM today helps me understand why the approach back then actually worked. That was no coincidence, it fits in a model. Therefore, today I meant it as an example to explain there are different solutions for a problem. Sometimes it involves sticking out your neck and doing something different than the majority of your peers do. That isn't bad just because it's different. Also, because the OSSTMM approaches security different from most compliancy regulations, it is not bad. The OSSTMM is not a static holy book or a religious kind of conviction. It is a live and dynamic manual. Release 3 is finally there, but next month there will be a discussion about what to change and add in version 4. (If you want to join, check http://www.securityfocus.com/archive/101/515776/30/0/threaded for more details. You can meet me there in real life as well). Cor Rosielle On Wed, 2011-01-19 at 20:01 +, Thor (Hammer of God) wrote: When the OP can't even support his own idea, it's probably time for this thread to die. However, I thought about what you said, and it actually serves as an excellent example of why engaging in conversation around this sort of thing is important. Cor Rosielle wrote: snip I did not know about the OSSTMM in those days. If I did, I could have explained why patching is not always the best solution: it interferes with your operations. /snip And thus lies the core purpose of this sort of open standard. You would have liked for the OSSTMM to exist back then NOT because there was value in their approach to security, but because it would give you justification for not doing what you were already not doing. You made a conscious decision not to patch a Windows 2000 box with IIS5 on it even though the radio listed off your company name (about that, what, what is Wikileaks Radio or something?). There is justification now because you say the box never got hacked. Of course, you don't know that, and can never know that. Pursuant to that, put that box up on the internet in the same configuration it was in and post the IP here. I guarantee that you'll only need an egg timer, if that. Since you already had a clear position of not caring about patching, there would be no need for the OSSTMM to exist for you at all. And as you have stated, if it DID exist, you would have used it purely for justifying your actions. When a CTO assumes that position and identifies the value of that organization to provide a straw-man standard, that is when people who have a better understanding of what security is should speak up. t ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Getting Off the Patch
I am not responding solely on the opinions in the emails. I actually know what is in the OSSTMM. Let me start by saying that patching is not bad in itself. It can be a good solution. It can even be the only solution. It can also be necessary to patch a piece of software. And the OSSTMM won't tell you different. As Pete's article reads, patching is just a small part of the solution. One of the things with patches is, that people have an urge to apply them. Vic wrote: ... if there is software installed on a system and that software has a known vulnerability and an available patch, any smart resource owner is going to mandate that the patch be applied to mitigate potential risk.. Even if we doubt the patch will affect our system, we are often uncertain what will happen if we don't apply the patch. Because we fear the audit, we decide to cover our ass and apply the patch. Not because it will make the system more safe, but because it will keep us from trouble. We even install unnecessary patches, like a fix in mod_ssl where you're not using SSL in the first place. Fear, uncertainty and doubt do not help in being objective about the solution. Most people don't realize the automated download and installation processes can be attacked. There are even tools available to do so. Through such an attack you might be applying a malicious or poisoned update on 800 of your servers. When you follow the OSSTMM, you see this involves an access and a trust, which both need to be controlled. Patching is often considered necessary for passing an audit. The bad thing is that auditors often don't understand a bit about security. By identifying controls in several organizations they came up with a list of standards, often called best practices. And then they just check that list to see if your company complies to the security standard. But those best practices is nothing more than a list of safety controls that were used by some other companies, operating under different circumstances than you are and at another time in history. In the best case there is some evidence the control really did provide protection. The fact is that best practices can have some value. Most of the time it is where people don't care to think what is best and just want to be compliant to something and pass the audit. Perhaps they do care but don't understand that being compliant is different from being safe and focus on compliancy. When you follow the OSSTMM you can get some understanding to see how much a best practice will increase (or decrease) your safety. It can help you to decide to accept risks, simply because the control is more expensive than the damage will be when you don't apply that best practice. As Pete's article reads, patching is just a small part of the solution. Following the OSSTMM you will get a good idea where the strong and weak spots are in your systems and how to determine that. The method perfectly scales, because it can tell you about level of safety of a single system, a group of systems belonging together and even all systems in the entire organization, no matter if there are 10, 100, 1000 or more. The OSSTMM is not a list of good or bad things. It is not a list of controls you have to apply and it does not take any decision for you. It just helps you to identify the good and bad things in your environment, how to rate those good and bad things, find the strong and weak areas in protection and assist you in predicting how well a new safety control will actually increase the overall safety. Cor Rosielle Chief Technology Officer -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full- disclosure-boun...@lists.grok.org.uk] On Behalf Of Vic Vandal Sent: woensdag 12 januari 2011 20:37 To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Getting Off the Patch While this idea may work in small shops, it won't scale to large ones. There are something like 800 heterogeneous servers where I work. Small clusters of like-purpose servers are allocated to hosting many different processing components that make up the enterprise architecture. Applying purpose-specific hardening is a goal, but one that is extremely difficult to achieve and then maintain. And at the end of the day if you have a server cluster hosting MS-SQL or Oracle or Apache or IIS or whatever, AND only the necessary listening services are on, AND there is filtering to allow specific source and destination traffic, IF there's an identified vulnerability in any of those available services the machines must be patched to mitigate system and data risk. Even with services/daemons/etc. that aren't used and have been disabled, you can't rely on them remaining that way. Some newly installed component could require starting them up, or some Sys-Admin could make a configuration mistake and start up some vulnerable service(s). So if there is software installed on a system and that software has
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
Hi Thierry, I agree this is a vulnerability. I also want to clear up an apparent misunderstanding: I don't tell not to scan with -sV, but to be careful because it is a dangerous switch that is known to sometimes crash devices. When you are testing a target, you have to know your tools and this is one of the characteristics of nmap. When testing, there are often some alternatives to choose from. And if the objective is to find out if there are any vulnerabilities in a host, then nmap -sV is one of the tools in the toolbox you can use. But if you just want to know the version of SNMP running, like Shang did, you just might want to choose another tool. (I would have used something like: for HOST in $(cat file.with.hosts); do snmpget -v 1 -c community-string $HOST sysDescr.0; done to find out if SNMP v1 was supported). Regards, Cor On Thu, 2010-07-01 at 11:28 +0200, Thierry Zoller wrote: Hi Shang, If this is possible you have found a vulnerability. Any way to remotely cause DoS with special or harmless code is per se a vulnerability. Instead of telling somebody to not scan with -sV you are better of reporting the vulnerability (ies) Regards, Thierry coc During my training classes I always tell the -sV switch is coc dangerous and known to (sometimes) crash the target. coc Usually a better tool to test open udp ports is unicornscan, but coc that doesn't have a switch like -iL. Since you are testing your coc own devices and you know the community string, you could insider coc to loop through the list of IP's and snmpget a value from the MIB. coc Cor coc sent from a mobile device coc Origineel bericht coc Van: Shang Tsung coc Verzonden: 30-06-2010 13:03:32 coc Onderw.: Should nmap cause a DoS on cisco routers? coc Hello, coc Some days ago, I had the task to discover the SNMP version that our coc servers and networking devices use. So I run nmap using the following coc command: coc nmap -sU -sV -p 161-162 -iL target_file.txt coc This command was supposed to use UDP to probe ports 161 and 162, which coc are used for SNMP and SNMP Trap respectively, and return the SNMP coc version. coc This innocent command caused most networking devices to crash and coc reboot, causing a Denial of Service attack and bringing down the coc network. coc Now my question is.. Should this had happened? Can nmap bring the whole coc network down from one single machine? coc Is this a configuration error of the networking devices? coc This is scary... coc Shang Tsung coc coc coc This list is sponsored by: Information Assurance Certification Review Board coc Prove to peers and potential employers without a doubt that you coc can actually do a proper penetration test. IACRB CPT and CEPT coc certs require a full practical examination in order to become certified. coc http://www.iacertification.org coc coc ___ coc Full-Disclosure - We believe in it. coc Charter: http://lists.grok.org.uk/full-disclosure-charter.html coc Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
All, Robert lee (A good friend of late Jack Louis, the author of unicornscan) explained to me that unicornscan does support a function like -iL does in nmap. Just supply the name of the file with hosts as an argument: unicornscan filename It is as easy as that. Thanks again for explaining, Robert. Cor On Thu, 2010-07-01 at 05:41 +, c...@outpost24.com wrote: During my training classes I always tell the -sV switch is dangerous and known to (sometimes) crash the target. Usually a better tool to test open udp ports is unicornscan, but that doesn't have a switch like -iL. Since you are testing your own devices and you know the community string, you could insider to loop through the list of IP's and snmpget a value from the MIB. Cor sent from a mobile device ...snip... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] No anti-virus software? No internet connection
...snip... The product that fail miserably, throughout the year(s?) should be declared unfit for purpose ...like an expired food which is harmful for health. Basically it is an interesting thought. I see a challenge though. Is 3 failures per year miserable? Or should we raise the limit to 10? Or lower it to 1? You get the point. The criteria to determine if a product fails miserably is not a fact, but a decision. Comparing it with expired food: I throw away food before the expiration date because I can see the fungus on it and decide it is not safe to eat it. On the other hand I consume food way after the expiration date because it is perfectly fine food. This error margin is caused by the statistics behind the expiration date: be on the safe side and prefer the chance to throw away good food than the chance to accept bad food. If its a technological problem overall, maybe they should move to application white-listing or something better... Sure, awareness and thinking is better. But some people don't think and than technological measures is about all the protection they really have. thanks, -bipin Cor ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] No anti-virus software? No internet connection
I recognize that. You'll learn fast to turn off your anti virus software when you want to use cain, netcat and a lot more. The anti virus software doesn't only protect you against attacks, but it also prevent you to attack others. Cor -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full- disclosure-boun...@lists.grok.org.uk] On Behalf Of Jan Schejbal Sent: woensdag 23 juni 2010 19:24 To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] No anti-virus software? No internet connection Am 22.06.2010 17:16, schrieb Paul Schmehl: Yes, you should use antivirus software if you're running windows Nope. For regular users clicking every link and using firefox and office and nothing else, maybe. But for somewhat experienced people with a large toolset on the machine: NO! Approximately once a month I had to persuade the AV vendor that they REALLY need to check if some tool is a false positive. It always was. The most annoying part was when the MS malware removal tool had a false-positive and deleted without asking. It would be interesting to compare the damage actually avoided by virus scanners to the damages and costs they cause (including false-positives wiping out system files, the hassle with updates/deployment and the cost of the products). Gruß Jan -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] No anti-virus software? No internet connection
Brilliant thinking. Lets install anti virus and increase the computers attack surface without further thinking. That must be safe because politicians tell us to do so. And we all know that politicians always tell the truth and happen to know a lot about PCs an security. Sigh. Tom has a point that end-users must take some responsibility for their own computer, but that doesn't mean that anti virus is the one and only solution. But if you think anti virus is the silver bullet to make this world saver, then dream your dreams and I'll dream mine. Cor From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Christian Sciberras Sent: dinsdag 22 juni 2010 10:56 To: Tom Grace Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] No anti-virus software? No internet connection I completely agree with Tom. A good fraction of all vulns out there rely on the user taking the wrong action, and it's way common (just face the truth). How many people install cracked OSes? I was once incredulous that a person willingly installed a virus because he claimed it was harmless (while the anti-virus shouted trojan). Sometimes I get to fix people's computers. I'm always amazed by the amount of crap I get in contact with. Hundreds of browser toolbars, antiviruses, shareware, adware, trials, torrent clients, media players etc. That not counting the local IT shops which format PCs replacing (typically) Windows OS with a cracked one. On Tue, Jun 22, 2010 at 9:42 AM, Tom Grace t...@deathbycomputers.co.uk wrote: In a way having a requirement that end-users take some responsibility for their own computer is a good thing. Similar to prosecuting people for fraud if they fall for one of the cash scams. On 06/22/2010 05:37 AM, Ivan . wrote: yep, your tax $$$ at work Don't forget there Internet filter as well.. With these rocket scientist running the show, what's there to worry about http://blogs.news.com.au/techblog/index.php/news/comments/finally_theres_pro tection_against_spams_and_scams On Tue, Jun 22, 2010 at 2:32 PM, Jubei Trippataka vpn.1.fana...@gmail.com wrote: They had a committee working on this for a year and that's the best they could come up with? HAHAHAHA. Belinda Neal - With idiots like you and your colleagues tackling this issue, tax payers deserve to burn you at the stake. BTW... are you really a du0d? -- ciao JT ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] No anti-virus software? No internet connection
Believe it or not, I do use anti virus on my Windows machine at home and even accept automatic updates (although MacAfee proved this is a serious threat). But anti virus is only the second line of defense or the third. The first line of defense is to think before you launch a file. If a file is unexpected, then I simply don't trust it. On several occasions this prevented virus infection with an up to date AV-scanner (Symantec - I put the file in a folder to further explore it after some days and then the AV-scanner did recognize the virus). AV software does fail too. For any home user who doesn't think or doesn't care, AV-software is probably a good starting point to give some limited protection for Windows systems. But such an home should realize he/she also runs risk when running AV-software and might experience a false sense of security. And if they don't think or don't care, they should think twice before complaining when it turns out bad. For any home user who do think or do care, AV-software can be a good addition to protect Windows systems, but that is not guaranteed. Realize that sometimes the cure is worse than the disease and also that malicious anti virus software does exist. Anti virus is not bad by definition. It is neither good by definition. And I repeat: Tom has a point that end-users must take some responsibility for their own computer. I just regret politicians make a lot of fuzz about legislation that only helps a bit in some cases and invite civilians to lean backward and believe they are secure because they have followed the rules. Cor -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full- disclosure-boun...@lists.grok.org.uk] On Behalf Of Tom Grace Sent: dinsdag 22 juni 2010 11:29 To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] No anti-virus software? No internet connection What would you advise a typical home user do to stay virus/trojan/other shit free ? Working on the assumption that they can't tell the difference (and really, shouldn't have to) between dangerous and safe files. AV software is pretty lacking, and the best advice I can think to give users is that everyone on the Internet is out to get you Tom On 06/22/2010 10:11 AM, Cor Rosielle wrote: Brilliant thinking. Let's install anti virus and increase the computers attack surface without further thinking. That must be safe because politicians tell us to do so. And we all know that politicians always tell the truth and happen to know a lot about PC's an security. Sigh. Tom has a point that end-users must take some responsibility for their own computer, but that doesn't mean that anti virus is the one and only solution. But if you think anti virus is the silver bullet to make this world saver, then dream your dreams and I'll dream mine. Cor From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Christian Sciberras Sent: dinsdag 22 juni 2010 10:56 To: Tom Grace Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] No anti-virus software? No internet connection I completely agree with Tom. A good fraction of all vulns out there rely on the user taking the wrong action, and it's way common (just face the truth). How many people install cracked OSes? I was once incredulous that a person willingly installed a virus because he claimed it was harmless (while the anti-virus shouted trojan). Sometimes I get to fix people's computers. I'm always amazed by the amount of crap I get in contact with. Hundreds of browser toolbars, antiviruses, shareware, adware, trials, torrent clients, media players etc. That not counting the local IT shops which format PCs replacing (typically) Windows OS with a cracked one. On Tue, Jun 22, 2010 at 9:42 AM, Tom Gracet...@deathbycomputers.co.uk wrote: In a way having a requirement that end-users take some responsibility for their own computer is a good thing. Similar to prosecuting people for fraud if they fall for one of the cash scams. On 06/22/2010 05:37 AM, Ivan . wrote: yep, your tax $$$ at work Don't forget there Internet filter as well.. With these rocket scientist running the show, what's there to worry about http://blogs.news.com.au/techblog/index.php/news/comments/finally_there s_pro tection_against_spams_and_scams On Tue, Jun 22, 2010 at 2:32 PM, Jubei Trippataka vpn.1.fana...@gmail.comwrote: They had a committee working on this for a year and that's the best they could come up with? HAHAHAHA. Belinda Neal - With idiots like you and your colleagues tackling this issue, tax payers deserve to burn you at the stake. BTW... are you really a du0d? -- ciao JT ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full
Re: [Full-disclosure] Why the IPS product designers concentrate on server side protection? why they are missing client protection
Nelson, You're missing one point: Host IPS MUST be deployed with any Network Security (Firewalls os NIPSs). Please be aware this is a risk decision and not a fact. I don't use an host IPS and no anti Virus either. Still I'm sure my laptop is perfectly safe. This is because I do critical thinking about security measures and don't copy behavior of others (who often don't think for themselves and just copies other peoples behavior). Please note I'm not saying you're not thinking. If you did some critical thinking and an host IPS is a good solution for you, then that's OK It just doesn't mean it is a good solution for everybody else and everybody MUST deploy an host IPS. No security solution/technology is the miracle protection alone, That's true. so that's the reason everybody is talking about defense in depth. Defense in depth is often used for another line of a similar defense mechanism as the previous already was. Different layers of defense works best if the defense mechanism differ. So if you're using anti virus software (which gives you an authentication control and an alarm control according to the OSSTMM), then an host IDS is not the best additional security measure (because this also gives you an authentication and an alarm control). This would also be a risk decision, but based on facts and the rules defined in the OSSTMM and not based on some marketing material. You should give it a try. Regards, Cor Rosielle w: www.lab106.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Why the IPS product designers concentrate on server side protection? why they are missing client protection
Nelson, I put my comments inline as well Regards, Cor ...snip... Nelson, You're missing one point: Host IPS MUST be deployed with any Network Security (Firewalls os NIPSs). Please be aware this is a risk decision and not a fact. I don't use an host IPS and no anti Virus either. Still I'm sure my laptop is perfectly safe. This is because I do critical thinking about security measures and don't copy behavior of others (who often don't think for themselves and just copies other peoples behavior). Please note I'm not saying you're not thinking. If you did some critical thinking and an host IPS is a good solution for you, then that's OK It just doesn't mean it is a good solution for everybody else and everybody MUST deploy an host IPS. That's so 1990! NIPS and/or Firewall just protect you if you're inside the borders... But, come on. Who doesn't have a laptop nowadays? So, multiple protection layers is better than none, anyways. Even one layer is better than none :-). Multiple layers are even better, especially when they are different types of protection. But applying security without thinking is bad. Even if you have enough money and hardware to spent, you should at least think about the balance between the amount security you get and the amount of risk you run when installing another piece of software. Then you can decide if it is worth the money or hardware you need to spend. You have choices when adopting a security posture or, if you prefer, risk posture. I believe that it's quite difficult and almost impossible you stay updated with all the threads, due to exponential growth of them. You have a point here. That's why it is better not to base security on defenses to known and existing threats alone, but use defense mechanisms that protect you both against known and existing threats and against unknown and future threats as well. I can't help to mention the OSSTMM again, because this is pretty much what it is about. No security solution/technology is the miracle protection alone, That's true. so that's the reason everybody is talking about defense in depth. Defense in depth is often used for another line of a similar defense mechanism as the previous already was. Different layers of defense works best if the defense mechanism differ. So if you're using anti virus software (which gives you an authentication control and an alarm control according to the OSSTMM), then an host IDS is not the best additional security measure (because this also gives you an authentication and an alarm control). Woowoo.. I cannot agree with you, because AV has nothing to do protecting end-point against network attacks. AV will alert and protect only when the thread already reached your end-point. Besides, there are other layers, such as: buffer overflow protection inside HIPS. Look that I am not talking abous IDS. 8) Sure you're right about that. There is a lot of other threats AV doesn't protect you to. Just like an IPS doesn't protect you against all threats. But that doesn't mean it is a wise decision to install each and every part of security software you can get, because software comes with costs and risks too. This is true for IPS's too. This would also be a risk decision, but based on facts and the rules defined in the OSSTMM and not based on some marketing material. You should give it a try. It always is a risk decision, and I not basing MHO on any standard, that's based on my background... And, AFAIK, nodoby can expect that users and/or server systems will be able to apply all or any update in a huge environment. Of course you don't have to agree, but I think it is better to be critical about the software you install. And if you don't agree and rather spend your money on things that were useful for someone else at another time and under different circumstances, then just do that. But I wish you wouldn't write that others must (you wrote it even in capitals) deploy an IPS. Regards, Cor ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/