Re: [ISN] ISS hatches 'virtual patching' plan (Three messages)

From: InfoSec News (isnat_private)
Date: Wed May 28 2003 - 00:30:18 PDT

  • Next message: InfoSec News: "[ISN] Microsoft Pulls XP Update Over Glitch"

    [Due to some technical problems beyond our control, the editiing of 
    these messages might be a little munged, along with the PGP signature 
    on the last reply.  - WK]
    
    
    Forwarded from: Michael J. Reeves <michaeljreevesat_private>
    
    This brings up an interesting point regarding add-on software.
    
    HOW much attention is paid to the alerts and logs???
    
    The other day, I d/l'd a file and saved it. My Firewall and Anti-Virus
    did NOT detect any problem with the file. I opened it expecting one
    thing, and nothing appeared to happen. Closer examination revealed
    that it was a *.SCR file. Missed that!!!
    
    My firewall notified me that a NEW program was trying to access the
    internet, and asked should I "BLOCK" access. This sent up a "RED-FLAG"  
    for me!!! I instructed it to establish the BLOCK-RULE, and proceeded
    to investigate.
    
    Turned out is was a new variation of an old trojan,
    BACKDOOR.LITMUS.203. Having some experience with this stuff, I
    rebooted the system from a boot disk, moved the suspected files (now
    2) into a safe subdirectory, and rebooted the system. I, then,
    searched the REGISTRY and *.INI files for entries referring to these
    files and deleted them.
    
    I submitted the files to my Anti-Virus publisher for analysis with the
    results noted previously as to the trojan. They are now updating their
    definitions files.
    
    The one thing that my Anti-Virus program did NOT do was to CHECK the
    REGISTRY for entries indicative of KNOWN virus and/or trojans. Perhaps
    this should be suggested???
    
        IMHO....
    
        MJR
    
    
    InfoSec News wrote:
    
    
    > http://www.nwfusion.com/news/2003/0526isspatch.html
    >
    > By Ellen Messmer
    > Network World Fusion
    > 05/26/03
    >
    > Internet Security Systems is readying technology it says could
    > benefit companies fed up with current patch management techniques.
    >
    > More precisely, ISS will enable its vulnerability-assessment scanner
    > to gang up with its network- and host-based intrusion-detection
    > systems (IDS) to stop newly discovered attacks or worms that could
    > damage unprotected servers or desktops on enterprise networks.
    
    
    Michael J. Reeves, AA, ASc
    MJR Consulting Services
    Sacramento, California 95842
    E-Mail: michaeljreevesat_private
    
    
    -=-
    
    
    Forwarded from: Steve Manzuik <steveat_private>
    
    http://www.nwfusion.com/news/2003/0526isspatch.html
    
    If anyone needs to be concerned with patching its ISS but I don't
    think that their new buzzword will get the job done.
    
    > More precisely, ISS will enable its vulnerability-assessment scanner 
    > to gang up with its network- and host-based intrusion-detection 
    > systems (IDS) to stop newly discovered attacks or worms that could 
    > damage unprotected servers or desktops on enterprise networks. 
    
    The last time I tested ISS' host based "product" it did not work on
    HP-UX, caused issues on Solaris installs, and blue screened 3 out of 5
    Windows 2000 boxes.  Don't get me started on the unreliability of
    their network based product either.
    
    Too bad my client wasn't as amused with the failures as I was
    considering they shelled out close to 100K for the ISS solution.  
    Their scanner product is pretty good though, with all the keygens and
    cracks floating around for it script kiddies seem to love it and with
    all the false positives it generates the kiddies won't get anywhere.
    
    With the high overhead created by using ISS products it almost makes
    me wonder if patch management isn't cheaper.
     
    > ISS CTO Chris Klaus calls the idea "virtual patching" because it
    > could eliminate the need to immediately apply server or desktop
    > software patches, which are often required to combat new attacks
    > that exploit software holes. Instead of having to rush to patch the
    > application or operating system software to stop a fast-moving worm
    > from taking over vulnerable systems, ISS would be able to have its
    > IDS ready to take certain steps to stop specific attacks aimed at
    > the target machine.
    
    A proper security framework already eliminates the need to rush out
    and patch non-critical boxes.  Even with this "revolutionary" product
    it makes sense for IT departments to patch critical systems.
     
    > "Patching is unattainable. There's no Fortune 1000 company doing it
    > across all its systems," contends Klaus, who points out that
    > sometimes vendors stop supplying patches for their legacy products.
    > "For instance, Microsoft is no longer supporting patching for
    > Windows NT."
    
    Does ISS Server Sensor even support and work on Windows NT?  Does
    anyone have any success stories with this product on NT?  Patching is
    not unattainable if the proper framework is put in place in the first
    place. Proper processes can solve a lot of the patching issues.
    
    > Next month ISS will add the virtual patching capability to its
    > vulnerability-assessment tool, Internet Scanner 7.0, which runs on
    > Windows 2000.
    
    But Klaus mentioned NT above....
     
    > Continuously updated with new attack information as it becomes
    > known, Internet Scanner will examine Web servers, firewalls,
    > operating systems, routers, switches, mails servers and other
    > applications to determine where a variety of weaknesses reside. The
    > product also will perform network discovery to locate network
    > resources.
    
    This is a neat idea but you will end up spending a ton of money
    protecting not so critical boxes.  Its back to the old saying; "You
    don't spend 1,000,000.00 to protect 1,000.
    
    > Internet Scanner will no longer simply be a stand-alone tool, but
    > will be able to take commands from the ISS management console,
    > SiteProtector. Companies could then perform a scan when a new
    > vulnerability or threat was identified, to see which machines could
    > be hit. Then, based on the network manager's decision, SiteProtector
    > would be able to instruct the ISS network-based sensor, RealSecure
    > Network 7.0, or the host-based IDS, RealSecure Server 7.0 and
    > RealSecure Desktop 7.0, to take certain steps. The host-based IDS
    > could block access, based on a specific check or signature.
    
    Yay!  Now your false positive prone ISS Scanner will not only confuse
    your IT staff but begin blocking potentially legitimate traffic.  I
    can see the increase in productivity already.
    
    > Since traditional "passive" IDS products aren't in-line devices that
    > can block large traffic streams, RealSecure Network 7.0 would be
    > limited to instructing the firewall to block the attack through a
    > process called shunning, or alternatively, terminating a session
    > with TCP re-sets.
    
    So this is different from the OPSEC features in RealSecure how?  How
    is this going to protect internal desktops and servers from an
    internal attack?  Oh, it won't?  So lets just call our desktops and
    back end devices "honeypots" and everything will be fine.
    
    > The virtual patching capability is coordinated with the debut next
    > month of what ISS has dubbed The X-Force Catastrophic Risk Index
    > that the company will issue periodically as a guide to the worst
    > security threats and risks.
    
    Wow, CATASTROPHIC RISK INDEX, this should send a chill up IT Security
    Manager's spines everywhere.  Proper risk management employs more than
    half broken technology.  Sorry to sound like a Final 4 firm but risk
    management is a combination of people, process, and technology.  
    Security is built in layers and reliance should not be placed on one
    single device or technology. All ISS is doing here is setting their
    customers up to become victims -- or was that honeypot researchers?
    
    > While the virtual patching capability is still in testing mode, and
    > it's not clear how well the idea will work in practice, there's
    > little doubt that network managers are fed up with patching.
    
    Their entire product line is still in testing mode.  ISS needs to fix
    the multiple issues in their basic products before they try and sell
    the world on their virtual patching service.  Granted my organization
    is small, but I have about a dozen clients who were sold on ISS
    products -- all but two have given up trying to make them work
    properly.  What does that tell you?
    
    
    Regards;
    
    
    Steve Manzuik
    Chief Technical Officer
    Entrench Technologies Inc.
    (403)663-1337 - office
    (403)589-4430 - cellular
    steveat_private
    
    
    
    -=-
    
    
    
    Forwarded from: White Vampire <whitevampireat_private>
    
    
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    
    On Tue, May 27, 2003 at 02:03:48AM -0500, InfoSec News(isnat_private) 
    wrote:
    
    
    This is PR disguised as news.
    
    
    <snip>
    > "Patching is unattainable. There's no Fortune 1000 company doing it
    > across all its systems," contends Klaus, who points out that
    > sometimes vendors stop supplying patches for their legacy products.
    > "For instance, Microsoft is no longer supporting patching for
    > Windows NT."
    <snip>
    
    
            Prove it.  Patching is unattainable, eh?  Windows workstations
    can be set to reference a directory on a primary server within the NOC
    and automatically install updates in the directory.  That is just one
    way to do it.
    
    
            If said "patching" is not taking place, perhaps there are some
    people out there who should start doing their jobs properly.
    
    
    Regards,
    - -- 
    \   | \  /  White Vampire\Rem                |  http://gammaforce.org/
     \|\|  \/   whitevampireat_private        |  http://gammagear.com/
    "Silly hacker, root is for administrators."  |  http://webfringe.com/
    
    
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.5 (GNU/Linux)
    
    
    iD8DBQE+05ba3+rxmnEDyl8RAtqLAKD0vSsHCZlriYO7CwFnn3gDp1N/dACfXIvN
    U9z5ICL3U/mCPQnQTDQaOtI=
    =hAXD
    -----END PGP SIGNATURE-----
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed May 28 2003 - 02:45:41 PDT