Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Definition of Zero Day Protection

from [Drew Copley] Network Security [Permanent Link]
Subject: RE: Definition of Zero Day Protection
Date: Mon, 9 Aug 2004 10:29:51 -0700 
 


-----Original Message-----
From: Teicher, Mark (Mark) [mailto:teicher@avaya.com] 
Sent: Sunday, August 08, 2004 6:48 PM
To: focus-ids@securityfocus.com
Cc: Seanor, Joseph (Joe)
Subject: Definition of Zero Day Protection

What is Zero Day Protection, I think I understand the 
definition of Zero
Day Exploits.  But what is Zero Day Protection?  Another 
marketing blurb
or it can vendors actually offer zero day protection?   


Systrace is an example of a type of software that can offer zero day
protection.

http://english.peopledaily.com.cn/200408/07/eng20040807_152156.html

(Not to toot our own horn, as we also offer some zero day protection in
both Blink and SecureIIS and we are striving hard to offer more...)

Software which is solely signature based can not do this. Heuristic
security software is designed to do this. 

http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=heuristic+AV

So, in this frame, even a new variant of a trojan is "zero day".
However, of course, when we say "zero day" we mean unknown true
vulnerabilities as opposed unknown instances of a virus or trojan.

There is, however, little practical difference, ultimately.

[Moving on so people might better *understand* zero day *attacks*, which
is essential to understanding their protection... and not wishing to get
involved in a preliminary discussion of heuristics...]

Anyone that would use a zero day vulnerability (which is still an
extremely rare attack) would likely use a new trojan/rootkit or a AV
sanitized variant of an old trojan/rootkit.

It might be noted most people outside of the "bugfinding" [sic] part of
the security community tend not to understand zero day attacks. 

The best examples, and almost the only known examples are the webdav and
scob attacks. It is extremely likely that some other attacks have taken
place which no one knows about. Both the scob and webdav attacks were
unusually poor in their pulling off, ultimately. 

Essentially, such an attack is akin to the attacker having a backdoor in
your operating system. Evading detection of this attack without some
kind of strong heuristic protection would be almost entirely impossible.

Unlike a smooth jewelry or bank heist, because the "theft" is of data,
you may never even know you were invaded. Because of the remoteness of
the attacker made possible through the type of attack, the attacker is
likely to have plenty of time to make away with their intrusion and data
theft. Further, it is extremely simple to route through many systems and
provide themselves with other layers of anonymity which would be
impossible in a physical intrusion. 

Because of these factors and the increasing likelihood of zero day
attacks, progress must be made in fighting these kinds of attacks today.

Unfortunately, security is usually a reactive endeavour, rather then
proactive. (And, proactive security is typically reactive security
dressed up so you don't feel so bad.)

These things are not security hype. Neither is protection from them. 

If a single bugfinder goes "rogue", you will see these kinds of attacks.
Likely, as bugfinders tend to be somewhat rogue in the firstplace, there
are a lot more going on then we already know about. And, there is an
increasing number of qualified bugfinders. 

This trend will inevitably increase.

So, no, it is not marketing hype, and yes, it should be a concern. It
should be more of an immediate concern for military and financial
institutions, as they tend to have more valuable data and are the first
targets for most attackers. However, anyone with a credit card database
or serious corporate secrets is a possible target.





Thank you for clarifying my confusion

/m

--------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world 
attacks from CORE
IMPACT.
Go to 
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_04
0708 to learn more.
--------------------------------------------------------------
------------




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to 
learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Definition of Zero Day Protection, Teicher, Mark (Mark)
Next by Date:  RE: Definition of Zero Day Protection, Fulp, J.D. USA
Previous by Thread:  Re: Definition of Zero Day Protection, Andy Cuff
Next by Thread:  Re: Definition of Zero Day Protection, Devdas Bhagat
Indexes:  [Date] [Thread] [Top] [All Lists]