Comments Inline -----Original Message----- From: Mark Ng [mailto:laptopalias1-markat_private] Sent: Tuesday, May 20, 2003 3:56 PM To: Kevin Reardon; incidentsat_private Subject: RE: A question for the list... <snip> >Are owners of long term compromised systems really "innocents"? If people have left systems compromised with >worms that are attacking other networks and reports have been ignored for significant amounts of time, then >surely the compromised party are guilty of negligence ? <snip> Consider this...with respect to the "long term compromised systems" there are two sets of parties. One set is responsible for the operation and maintenance of the systems. The other party (which is much larger in size typically) is made up of the users of that system. Do you think that the general employees of a company aren't "innocents" if their sysadmin isn't keeping up on patches? And what if the reason the patches haven't been applied yet is because of a change control process that takes hours of paperwork and weeks of waiting time per patch per box? I've seen it take six weeks in some corporations to get changes approved, and as much as an entire day's worth of work to complete the change control request to put one patch on one box. When you consider that the company in this example had dozens of machines offering services to the outside world, it's a bit easier to understand how machines go unpatched. And who is some outside party with an axe to grind to determine their innocence or guilt in the first place? >Perhaps rather than a strikeback system, something similar to ARIS could be used to send automated alerts to >ISP's warning them that x number of their customers have the latest worm. In the event that ISP's are non- >compliant, and don't deal with their infected customers, peering points could agree to enforce this upon ISP's. I like this idea, but I think that it might not have much effect. Already there are way too many large ISPs who do nothing when they are notified of blantant abuse (see under www.proxyprotector.com for a great and typical example), so I don't see what they'll do about their customers being infected with worms. After all, their customers pay them, and you don't...so why would they give their customers a hard time over the complaints of outsiders? And the more infected hosts they have on their net, the less incentive they have to try to do anything, as the problem simply becomes too large to be worth tackling by them. ---------------------------------------------------------------------------- *** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu May 22 2003 - 11:43:29 PDT