This is one of the sticky points that usually gets everyone. I would really
like to see Microsoft and Cisco make promise of the sandbox functionality
with the mating of there technologies a reality, so basically you cant go
anywhere on the host network unless you are first scanned by a host system
and apply patches, AV updates, etc etc as required, if you fail to do it,
then you are put into a sandbox network which doesnt have access to anything
but the update site. Again not really seen that come to fruition in which it
cane really be used in a healthcare environment and work as expected, but
when it does it will be the step in the right network.
PS: No offense taken its just hard to lump most security admins into one
type or another, that is all.
-----Original Message-----
From: Chris Wensink [mailto:chris.wensink (at) gmail (dot) com [email concealed]]
Sent: Tuesday, August 16, 2005 12:53 PM
To: Ziots, Edward
Cc: focus-virus (at) securityfocus (dot) com [email concealed]
Subject: Re: Virus Outbreak Attacking MS05-039
Edward,
I didn't mean to offend you, or the way that you defend your network.
From the sound of things, I'd say you have a good handle on security.
Your layered approach is right on target to protect your network.
Have you implemented any form of VPN security, to add a layer of
security by segmenting network nodes, so that in the off chance of an
attack, one could limit the depth of the attack based on the
communication / restrictions of those portions?
Chris
On 8/16/05, Ziots, Edward <EZiots (at) lifespan (dot) org [email concealed]> wrote:
> Chris,
>
> NO offense but I am the security admin for my network, and we implement
> defense in depth and system level hardening at the OS core and working
> outwards to the firewall and DMZ and internet router, so as to take a
> layered approach. Its more work, but if planned and implemented properly
it
> makes it that much harder to crack each layer of security to get to the OS
> just to find out its patched and all the functionality you thought you was
> going to exploit doesnt work. To say that many security admins implement a
> hard core soft shell model is a little off base. I would almost say these
> days it takes a hard core, harder shell approach in which the firewall is
> only 1st level of defense not the last, this is followed up by IPS and
IDS,
> Honeypots, system level access hardening,and vulnerability scanning to
> validate the system level access hardening ( Retina, ISS, foundstone,
> Metasploit ( One of my faves). A comprehensive patch management solution
and
> AV solution, along with continuously monitoring the changes and
controlling
> what comes into and goes out of your network. The other area that tends to
> put the swiss-cheese holes in your security plan are the FDA regulated and
> Vendor controlled systems, but these have been a thorn in my side ever
since
> I have been in my position and usually neither of these entities get the
> idea of security or know what to do sometimes to comply with an
> organizations security policy. ( Note: I will not name names of companies
> that have a track record of poorly implemented and insecure systems which
> they tout to there customers as cutting-edge healthcare systems, but trust
> me you see there ad's all the time on TV, just connect the dot's you will
> figure out whom I am talking about) I work on a network with over 300+
> Servers 7000 workstations and 4 locations, so getting this right is no
> trivial matter and its not something you implement over-night..
>
> Just my point of view feel free to chime in,
>
> Edward Ziots
> Network Engineer
> Windows/Citrix Administrator
> Lifespan Organization
> MCSE,MCSA,MCP+I,M.E,CCA, Security +, Network +
> eziots (at) lifespan (dot) org [email concealed]
> 401-639-3505 (Cell)
> 401-444-6926 (Office)
> 401-350-5284 (Pager)
>
>
> -----Original Message-----
> From: Chris Wensink [mailto:chris.wensink (at) gmail (dot) com [email concealed]]
> Sent: Monday, August 15, 2005 6:10 PM
> To: meni (at) menimilstein (dot) com [email concealed]
> Cc: focus-virus (at) securityfocus (dot) com [email concealed]
> Subject: Re: Virus Outbreak Attacking MS05-039
>
>
> Many security admins continually implement a 'hard core, soft shell'
> model, which causes many of these types of vulnerabilities to spread.
> If at all possible, one of the best solutions to limit the range of
> attach, I believe is separate any neccesary MS boxes into small
> subdomains / virtualdomains protected by caching proxy boxes running
> inexpensive OS's such as clarkconnect. Once that level of protection
> is in place, along with a corporate solution for patching machines /
> updating virus definitions on a daily basis. Just my 2 cents.
>
> Chris
>
> On 8/15/05, Mike <mjcarter (at) ihug.co (dot) nz [email concealed]> wrote:
> > I don't believe you can exploit MS05-039 on anything other than 445,
Note
> > that this thing doesn't spread via 445 it gains access through the
exploit
> > to start an FTP session and spreads via FTP. Of course it's always
> possible
> > that the virus switches to a different vulnerability, it does have the
> > ability to update but then we would be talking about a new variant.
> >
> > Mike
> >
> > -----Original Message-----
> > From: Meni Milstein [mailto:meni (at) menimilstein (dot) com [email concealed]]
> > Sent: Tuesday, August 16, 2005 7:08 AM
> > To: 'Ziots, Edward'; 'Mike'
> > Cc: focus-virus (at) securityfocus (dot) com [email concealed]
> > Subject: RE: Virus Outbreak Attacking MS05-039
> >
> > Wow... what I meant to bring up was the question whether there was some
> > other way this thing is spreading OTHER than 445 TCP.
> >
> > Meni.
> >
> >
> > -----Original Message-----
> > From: Ziots, Edward [mailto:EZiots (at) Lifespan (dot) org [email concealed]]
> > Sent: Monday, August 15, 2005 7:58 PM
> > To: 'Meni Milstein'; 'Mike'
> > Cc: focus-virus (at) securityfocus (dot) com [email concealed]
> > Subject: RE: Virus Outbreak Attacking MS05-039
> >
> > Well think of other avenues of attack, VPN, Dial-up unpatches systems
> being
> > connected to your systems by vendors, just many many ways around the fun
> > "firewall will protect us from everything"
> >
> > Z
> >
> > Edward Ziots
> > Network Engineer
> > Windows/Citrix Administrator
> > Lifespan Organization
> > MCSE,MCSA,MCP+I,M.E,CCA, Security +, Network +
> > eziots (at) lifespan (dot) org [email concealed]
> > 401-639-3505 (Cell)
> > 401-444-6926 (Office)
> > 401-350-5284 (Pager)
> >
> >
> > -----Original Message-----
> > From: Meni Milstein [mailto:meni (at) menimilstein (dot) com [email concealed]]
> > Sent: Monday, August 15, 2005 2:00 PM
> > To: 'Mike'
> > Cc: focus-virus (at) securityfocus (dot) com [email concealed]
> > Subject: RE: Virus Outbreak Attacking MS05-039
> >
> >
> > As far as I know, if you are firewalled correctly and have your 445 tcp
> port
> > shut to the outside - this thing should NOT be able to get in.
> > Am I wrong?
> >
> > Meni Milstein.
> > http://www.lcs-guides.com
> >
> >
> >
> > -----Original Message-----
> > From: Mike [mailto:mjcarter (at) ihug.co (dot) nz [email concealed]]
> > Sent: Monday, August 15, 2005 3:41 PM
> > To: focus-virus (at) securityfocus (dot) com [email concealed]
> > Subject: Virus Outbreak Attacking MS05-039
> >
> > Hi List,
> > Yesterday one of my customers was hit hard by what appears to be a
variant
> > of zotob.
> > http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.b.html
> >
> > This one was very (noisy) crashing services.exe and forcing re-boots on
> > unpatched WIN2K machines. The boxes we've had a chance to look at were
not
> > infected, but were unpatched. We hope to have samples today from the
same
> > network and have a closer look.
> >
> > It's time to get patching!
> >
> > Regards
> > Mike
> >
> > Mike
> >
> > Information Security and Logistics
> > www.infosec.co.nz
> >
> >
> >
> >
> >
> >
> >
> >
>
This is one of the sticky points that usually gets everyone. I would really
like to see Microsoft and Cisco make promise of the sandbox functionality
with the mating of there technologies a reality, so basically you cant go
anywhere on the host network unless you are first scanned by a host system
and apply patches, AV updates, etc etc as required, if you fail to do it,
then you are put into a sandbox network which doesnt have access to anything
but the update site. Again not really seen that come to fruition in which it
cane really be used in a healthcare environment and work as expected, but
when it does it will be the step in the right network.
PS: No offense taken its just hard to lump most security admins into one
type or another, that is all.
EZ
Edward Ziots
Network Engineer
Windows/Citrix Administrator
Lifespan Organization
MCSE,MCSA,MCP+I,M.E,CCA, Security +, Network +
eziots (at) lifespan (dot) org [email concealed]
401-639-3505 (Cell)
401-444-6926 (Office)
401-350-5284 (Pager)
-----Original Message-----
From: Chris Wensink [mailto:chris.wensink (at) gmail (dot) com [email concealed]]
Sent: Tuesday, August 16, 2005 12:53 PM
To: Ziots, Edward
Cc: focus-virus (at) securityfocus (dot) com [email concealed]
Subject: Re: Virus Outbreak Attacking MS05-039
Edward,
I didn't mean to offend you, or the way that you defend your network.
From the sound of things, I'd say you have a good handle on security.
Your layered approach is right on target to protect your network.
Have you implemented any form of VPN security, to add a layer of
security by segmenting network nodes, so that in the off chance of an
attack, one could limit the depth of the attack based on the
communication / restrictions of those portions?
Chris
On 8/16/05, Ziots, Edward <EZiots (at) lifespan (dot) org [email concealed]> wrote:
> Chris,
>
> NO offense but I am the security admin for my network, and we implement
> defense in depth and system level hardening at the OS core and working
> outwards to the firewall and DMZ and internet router, so as to take a
> layered approach. Its more work, but if planned and implemented properly
it
> makes it that much harder to crack each layer of security to get to the OS
> just to find out its patched and all the functionality you thought you was
> going to exploit doesnt work. To say that many security admins implement a
> hard core soft shell model is a little off base. I would almost say these
> days it takes a hard core, harder shell approach in which the firewall is
> only 1st level of defense not the last, this is followed up by IPS and
IDS,
> Honeypots, system level access hardening,and vulnerability scanning to
> validate the system level access hardening ( Retina, ISS, foundstone,
> Metasploit ( One of my faves). A comprehensive patch management solution
and
> AV solution, along with continuously monitoring the changes and
controlling
> what comes into and goes out of your network. The other area that tends to
> put the swiss-cheese holes in your security plan are the FDA regulated and
> Vendor controlled systems, but these have been a thorn in my side ever
since
> I have been in my position and usually neither of these entities get the
> idea of security or know what to do sometimes to comply with an
> organizations security policy. ( Note: I will not name names of companies
> that have a track record of poorly implemented and insecure systems which
> they tout to there customers as cutting-edge healthcare systems, but trust
> me you see there ad's all the time on TV, just connect the dot's you will
> figure out whom I am talking about) I work on a network with over 300+
> Servers 7000 workstations and 4 locations, so getting this right is no
> trivial matter and its not something you implement over-night..
>
> Just my point of view feel free to chime in,
>
> Edward Ziots
> Network Engineer
> Windows/Citrix Administrator
> Lifespan Organization
> MCSE,MCSA,MCP+I,M.E,CCA, Security +, Network +
> eziots (at) lifespan (dot) org [email concealed]
> 401-639-3505 (Cell)
> 401-444-6926 (Office)
> 401-350-5284 (Pager)
>
>
> -----Original Message-----
> From: Chris Wensink [mailto:chris.wensink (at) gmail (dot) com [email concealed]]
> Sent: Monday, August 15, 2005 6:10 PM
> To: meni (at) menimilstein (dot) com [email concealed]
> Cc: focus-virus (at) securityfocus (dot) com [email concealed]
> Subject: Re: Virus Outbreak Attacking MS05-039
>
>
> Many security admins continually implement a 'hard core, soft shell'
> model, which causes many of these types of vulnerabilities to spread.
> If at all possible, one of the best solutions to limit the range of
> attach, I believe is separate any neccesary MS boxes into small
> subdomains / virtualdomains protected by caching proxy boxes running
> inexpensive OS's such as clarkconnect. Once that level of protection
> is in place, along with a corporate solution for patching machines /
> updating virus definitions on a daily basis. Just my 2 cents.
>
> Chris
>
> On 8/15/05, Mike <mjcarter (at) ihug.co (dot) nz [email concealed]> wrote:
> > I don't believe you can exploit MS05-039 on anything other than 445,
Note
> > that this thing doesn't spread via 445 it gains access through the
exploit
> > to start an FTP session and spreads via FTP. Of course it's always
> possible
> > that the virus switches to a different vulnerability, it does have the
> > ability to update but then we would be talking about a new variant.
> >
> > Mike
> >
> > -----Original Message-----
> > From: Meni Milstein [mailto:meni (at) menimilstein (dot) com [email concealed]]
> > Sent: Tuesday, August 16, 2005 7:08 AM
> > To: 'Ziots, Edward'; 'Mike'
> > Cc: focus-virus (at) securityfocus (dot) com [email concealed]
> > Subject: RE: Virus Outbreak Attacking MS05-039
> >
> > Wow... what I meant to bring up was the question whether there was some
> > other way this thing is spreading OTHER than 445 TCP.
> >
> > Meni.
> >
> >
> > -----Original Message-----
> > From: Ziots, Edward [mailto:EZiots (at) Lifespan (dot) org [email concealed]]
> > Sent: Monday, August 15, 2005 7:58 PM
> > To: 'Meni Milstein'; 'Mike'
> > Cc: focus-virus (at) securityfocus (dot) com [email concealed]
> > Subject: RE: Virus Outbreak Attacking MS05-039
> >
> > Well think of other avenues of attack, VPN, Dial-up unpatches systems
> being
> > connected to your systems by vendors, just many many ways around the fun
> > "firewall will protect us from everything"
> >
> > Z
> >
> > Edward Ziots
> > Network Engineer
> > Windows/Citrix Administrator
> > Lifespan Organization
> > MCSE,MCSA,MCP+I,M.E,CCA, Security +, Network +
> > eziots (at) lifespan (dot) org [email concealed]
> > 401-639-3505 (Cell)
> > 401-444-6926 (Office)
> > 401-350-5284 (Pager)
> >
> >
> > -----Original Message-----
> > From: Meni Milstein [mailto:meni (at) menimilstein (dot) com [email concealed]]
> > Sent: Monday, August 15, 2005 2:00 PM
> > To: 'Mike'
> > Cc: focus-virus (at) securityfocus (dot) com [email concealed]
> > Subject: RE: Virus Outbreak Attacking MS05-039
> >
> >
> > As far as I know, if you are firewalled correctly and have your 445 tcp
> port
> > shut to the outside - this thing should NOT be able to get in.
> > Am I wrong?
> >
> > Meni Milstein.
> > http://www.lcs-guides.com
> >
> >
> >
> > -----Original Message-----
> > From: Mike [mailto:mjcarter (at) ihug.co (dot) nz [email concealed]]
> > Sent: Monday, August 15, 2005 3:41 PM
> > To: focus-virus (at) securityfocus (dot) com [email concealed]
> > Subject: Virus Outbreak Attacking MS05-039
> >
> > Hi List,
> > Yesterday one of my customers was hit hard by what appears to be a
variant
> > of zotob.
> > http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.b.html
> >
> > This one was very (noisy) crashing services.exe and forcing re-boots on
> > unpatched WIN2K machines. The boxes we've had a chance to look at were
not
> > infected, but were unpatched. We hope to have samples today from the
same
> > network and have a closer look.
> >
> > It's time to get patching!
> >
> > Regards
> > Mike
> >
> > Mike
> >
> > Information Security and Logistics
> > www.infosec.co.nz
> >
> >
> >
> >
> >
> >
> >
> >
>
[ reply ]