In-Reply-To: <20050107031424.49127.qmail@web41103.mail.yahoo.com>
<CAUTION: HUMOR AND SARCASM>
First of all, let's review the topic of patching. A patch is an update to
software that's broken in a variety of ways including, but not limited to, bug
fixes and security issues. I don't even think that certain vendors take their
patching seriously - for example: a "critical security update" for an office
font was released because it has some 'offensive' characters in it ... critical
for who?! And then they make it so you can't get any new updates until you
apply the new font... so, if you don't apply this "critical", but unnecessary
update, you might not even know that you are missing patches!
Now let's assume you *are* patched with *all* the vendor's patches.
Every one of them. So having all your exposed services being patched (and
services configured properly), in theory, would make your network 100% secure,
in combination with your firewalls being correctly configured of course. This
leaves your IDS sitting there gathering data on would-be exploits, but nothing
will ever come of them because you
*are* patched. Leaving you, supposedly, with nothing to worry about.
Nice feeling isn't it? Quite peaceful.
Let's be realistic here. Systems are not just vulnerable between the time the
patch is released by a vendor and the time you apply it. I've heard many
sysadmins, approx. once a month, say things like "Another vulnerability came
out today. *Sigh* I guess I'll be patching our servers again tonight". It's
very important to make them realize that the *vulnerability* has been out for a
long time and it was only recently patched by the vendor. And we make the wild
assumption that the patch works and that it doesn't introduce any new
vulnerabilities.
The vendor released the problem code in the first place - what makes anyone
think that they are incapable of doing it again?!
And if you are 100% patched - you should NEVER have to patch again, right?
100% means 100%, right? Wrong! You've only applied 100% of the available
patches. So why another release of patches? It comes from the vulnerabilities
that are STILL in your 100% patched systems. Just accept it, you'll never be
100% patched. And you should be happy about this - you'll always have a job
because the patching and upgrades will
never end. Well, I'm assuming that a system you maintain doesn't get
compromised on a zero-day and they fire your ass. ;-)
So, our job as security people is risk mitigation, not complete protection.
Hey, people have accepted the concept of something not working 100% in other
products - why do they have such a hard time accepting this same concept in the
computer security field? Condoms = risk mitigation, not elimination.
You have your firewalls to police traffic into, and hopefully out of, your
network. Your systems are patched for most commonly known vulnerabilities.
Your IDS is probably only looking for known signatures. Your virus scanner
most likely only looking for know signatures as well. If you are lucky, you
have some (N)IPS or HIPS blocking based on inappropriate behavior - and
hopefully it catches whatever new exploit is out there.
Activescout isn't intended to replace your firewall, or your IDS. It's
intended to complement these systems you already have in place. It REALLY IS
damn near 100% accurate as far as false positives are concerned. There is the
issue of missed attacks, but that's what you have the other systems for, isn't
it?
Information is power - let's say I scan your network for IIS servers and save
their version numbers. I find an instance of IIS running on an IP that doesn't
have any DNS associated with it. Maybe this is hidden to most of the world,
but it's not hidden from a quick port scan. So, move the port to something
that not the default - a scan will find that too with a little bit more work.
Now suppose I know what version of IIS you are running on a system and it's
completely patched, and I really want to hack into your network ... maybe I
can't easily do it right now...
so, I wait.
Think about this: who do you think is faster - a hacker waiting to exploit a
vulnerability on a known vulnerable system, or a vendor producing a patch for a
vulnerability, releasing it, you downloading it,
(maybe) testing it and then applying it and rebooting the server? I'll just
wait - we'll see who wins this little race.
Activescout gives a scanner so much misinformation that the attackers have a
seriously hard time figuring out what is real and what is virtual. This
essentially takes away a lot of their knowledge by making them work harder for
it. This by itself is only an "ok" tactic, but now suppose that you also block
the IP addresses of these attackers.
Wouldn't you think this would mitigate risk?
I know what you are thinking - maybe the attacker spoofs the source IP.
Well, Activescout only blocks addresses that can be confirmed as attacking
using techniques such as marking the data in a application layer and watching
for these marks to return, in addition to watching for complete tcp
handshaking. So, where your IDS may have tons of false positives, activescout
is nearly 100% accurate because it's not looking for signatures that occur
frequently in real legitimate traffic. And it really does come very close to
100% accuracy in identifying attackers.
I've had one false block in two plus years of running activescout, and it was
from a user going to http instead of httpS. I've since excluded that http
port. I don't know what the false positive rate is for *your* IDS - ignoring
the fact it probably doesn't accurately identify the attacker's IP - but you'd
have to be insane to implement it as part of a firewall blocking system that
blocks all traffic from the suspected IP.
Many IDS's will alert on a single packet regardless of any connection state
information.
Activescout takes very little effort to maintain, and it sets up in about 20
minutes. Upgrades are just about idiot proof and take very little time and
interaction from the user. I don't know what you're running your java on, but
maybe you should think about an upgrade. I have a console (not my primary
console) on a P300 with 128MBs that works just fine. You can probably get one
of those for less than $200.
Also, as a side effect, activescout actually reduces the number of IDS alerts
you receive. Mine went down by a factor of 100 after installing activescout.
Maybe I get paid more, but activescout has easily paid for itself just in the
time I save managing my other security products.
Besides, it also makes pretty maps and graphs to show management which really
helps them to understand and be able to quantify this invisible threat making
it easier to get cash for security products in the future.
This saves me time again, but this time on the begging end of the scale.
If you can save time, money, and mitigate more risk by spending 20 minutes to
implement activescout, why not use it? Of course, maybe there is a little
masochist in everybody. ;-)
</CAUTION: HUMOR AND SARCASM>
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
