Re: Whitelisting

[Kurt Buff]

On Sat, Apr 14, 2012 at 08:10, Alex Eckelberry  wrote:
> I'm curious, what's the general feeling about about whitelisting?  As a 
> former AV guy, I tend to prefer blacklisting, but I'm seeing signs things 
> might be changing.
>
> Thoughts?

http://www.ranum.com/security/computer_security/editorials/dumb/
Numbers 1 and 2, for this discussion, but everyone should take to
heart all of them

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Whitelisting

[Rankin, James R]

Interesting to see what mitigation can be done against data file exploits other 
than AV and patching. Might have a look into this a bit closer.

---Blackberried

-Original Message-
From: "Crawford, Scott" 
Date: Sat, 14 Apr 2012 17:48:46 
To: NT System Admin Issues
Reply-To: "NT System Admin Issues" 
Subject: RE: Whitelisting

good question, but it's MUCH easier than whitelisting all good data files.

I would expect the blacklist scanner to look for signatures of application 
exploits.

Sent from my Windows Phone

From: Rankin, James R
Sent: 4/14/2012 12:25 PM
To: NT System Admin Issues
Subject: Re: Whitelisting

How do you blacklist all possible bad data files?
--Original Message--
From: Crawford, Scott
To: NT System Admin Issues
ReplyTo: NT System Admin Issues
Subject: RE: Whitelisting
Sent: 14 Apr 2012 18:02

A combination is needed. Whitelisting for traditional executable code and 
blacklisting for data files that exploit vulnerable white listed applications.

-Original Message-
From: Alex Eckelberry [mailto:a...@eckelberry.com]
Sent: Saturday, April 14, 2012 10:10 AM
To: NT System Admin Issues
Subject: Whitelisting

I'm curious, what's the general feeling about about whitelisting?  As a former 
AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be 
changing.

Thoughts?
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
---Blackberried
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Whitelisting

[Crawford, Scott]

good question, but it's MUCH easier than whitelisting all good data files.

I would expect the blacklist scanner to look for signatures of application 
exploits.

Sent from my Windows Phone

From: Rankin, James R
Sent: 4/14/2012 12:25 PM
To: NT System Admin Issues
Subject: Re: Whitelisting

How do you blacklist all possible bad data files?
--Original Message--
From: Crawford, Scott
To: NT System Admin Issues
ReplyTo: NT System Admin Issues
Subject: RE: Whitelisting
Sent: 14 Apr 2012 18:02

A combination is needed. Whitelisting for traditional executable code and 
blacklisting for data files that exploit vulnerable white listed applications.

-Original Message-
From: Alex Eckelberry [mailto:a...@eckelberry.com]
Sent: Saturday, April 14, 2012 10:10 AM
To: NT System Admin Issues
Subject: Whitelisting

I'm curious, what's the general feeling about about whitelisting?  As a former 
AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be 
changing.

Thoughts?
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
---Blackberried
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Whitelisting

[Rankin, James R]

How do you blacklist all possible bad data files?  
--Original Message--
From: Crawford, Scott
To: NT System Admin Issues
ReplyTo: NT System Admin Issues
Subject: RE: Whitelisting
Sent: 14 Apr 2012 18:02

A combination is needed. Whitelisting for traditional executable code and 
blacklisting for data files that exploit vulnerable white listed applications.

-Original Message-
From: Alex Eckelberry [mailto:a...@eckelberry.com] 
Sent: Saturday, April 14, 2012 10:10 AM
To: NT System Admin Issues
Subject: Whitelisting

I'm curious, what's the general feeling about about whitelisting?  As a former 
AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be 
changing.  

Thoughts? 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
---Blackberried
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Whitelisting

[Crawford, Scott]

A combination is needed. Whitelisting for traditional executable code and 
blacklisting for data files that exploit vulnerable white listed applications.

-Original Message-
From: Alex Eckelberry [mailto:a...@eckelberry.com] 
Sent: Saturday, April 14, 2012 10:10 AM
To: NT System Admin Issues
Subject: Whitelisting

I'm curious, what's the general feeling about about whitelisting?  As a former 
AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be 
changing.  

Thoughts? 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Whitelisting

[Ben M. Schorr]

Same reason that blacklisting doesn't work for spam prevention either - 
spammers just find ways around the lists and it turns into a constant battle of 
trying to quickly blacklist the new terms/addresses only to find that the bad 
guys change them as fast as you can blacklist them.

Ben M. Schorr
Roland Schorr & Tower
www.rolandschorr.com | www.officeforlawyers.com | Twitter: @bschorr

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Saturday, April 14, 2012 9:07
To: NT System Admin Issues
Subject: Re: Whitelisting

On Sat, Apr 14, 2012 at 11:10 AM, Alex Eckelberry  wrote:
> I'm curious, what's the general feeling about about whitelisting?  As a 
> former AV guy, I tend to prefer blacklisting, but I'm seeing signs things 
> might be changing.

  IMNSHO: Tightly controlling what software can be run will always be far more 
effective than trying to identify every possible bad thing in the world.  The 
hard part is usually doing it.  Many orgs don't have good software management.  
The small ones can't afford it, and the large ones find the problem to hard to 
coordinate.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Whitelisting

[Ben Scott]

On Sat, Apr 14, 2012 at 11:10 AM, Alex Eckelberry  wrote:
> I'm curious, what's the general feeling about about whitelisting?  As a 
> former AV guy, I tend to prefer blacklisting, but I'm seeing signs things 
> might be changing.

  IMNSHO: Tightly controlling what software can be run will always be
far more effective than trying to identify every possible bad thing in
the world.  The hard part is usually doing it.  Many orgs don't have
good software management.  The small ones can't afford it, and the
large ones find the problem to hard to coordinate.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Whitelisting

[Rankin, James R]

Whitelisting (or greylisting) is the only way forward. Malware evolves too fast 
for blacklisting ever to be effective. There are also programs not listed as 
malware that are still malicious to some degree, and blacklisting can never 
protect against these.

--Original Message--
From: Alex Eckelberry
To: NT System Admin Issues
ReplyTo: NT System Admin Issues
Subject: Whitelisting
Sent: 14 Apr 2012 16:10

I'm curious, what's the general feeling about about whitelisting?  As a former 
AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be 
changing.  

Thoughts? 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

---Blackberried

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Whitelisting

[Michael B. Smith]

I think whitelisting is the right direction.

-Original Message-
From: Alex Eckelberry [mailto:a...@eckelberry.com] 
Sent: Saturday, April 14, 2012 11:10 AM
To: NT System Admin Issues
Subject: Whitelisting

I'm curious, what's the general feeling about about whitelisting?  As a former 
AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be 
changing.  

Thoughts? 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Whitelisting

[Alex Eckelberry]

I'm curious, what's the general feeling about about whitelisting?  As a former 
AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be 
changing.  

Thoughts? 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Hooray, I'm moving to VMware!

[Ken Schaefer]

The DL380 G8 series will be shipping within the month. You may wish to look at 
that as well.

From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com]
Sent: Friday, 13 April 2012 11:39 PM
To: NT System Admin Issues
Subject: Hooray, I'm moving to VMware!


Just got the ok to move forward with VMware/Citrix/Domain upgrade.

I have 10 physical servers, and it looks like this will be the solution:

3 hosts: ($21k each)

HP DL380 G7 E5660

Pair of 146 15k drives mirrored

196 G RAM <- this was $45k alone

Quad port gig adapter

2 Switches: ($1,800 each)

HP 2910

1 SAN ($22,700)

NetApp 2240

12 x 600GB

VSphere Essentials Plus ($5,200)

6 Windows licenses ($13,600):

Server 2008 Datacenter

Windows/Xenapp licenses ($26,000)

$40k services

Install/config SAN, switches, hosts, VMware, new Citrix farm, 2008 Domain 
upgrade, P2V existing servers

Total: $185,000

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin