That's all hind sight, Harlan. Getting people to
protect their servers
with basic tools like antivirus is far more feasible
than trying to turn
everyone into exploit clairvoyants!
It is a very simple and indisputable fact that
antivirus played a major
part in saving many very important companies a very
large sum of money.
Ignoring that is not advisable.
Again, as I stated before, it was a band-aid...and it
worked this time. The real issue is that systems are
exposed to the Internet all the time w/ poor/no admin
passwords, poorly configured services, etc., and it's
software such as A/V products that are deemed the
heros for picking up the slack. In a nutshell, it's
enabling the poor administration behaviour.
It's irresponsible to expose a server to the
Internet without antivirus
protection on it no matter what its role is.
Perhaps. I happen to not agree with you on that. I
believe, however, that it is irresponsible to expose a
server to the Internet with no Admin or 'sa' password,
or to with unneeded services enabled.
It seems to me that there is an air of arrogance in
the thought process
that says "I was able to beat it last time, so I
have no worries about
the future". Many of the companies that lost
millions thought that they
had all of the bases covered. Contrary to what
you're trying to imply,
it was not that they were just lazier than you or
less "elite".
There was no implication of that nature on my part,
nor is there an elitist attitude. The basic
configuration steps that I mention have been posted on
the MS site as far back as IIS 4.0's time...that fact
that they weren't followed is another matter entirely,
and one not solved by the installation of A/V
software.
Not
every company can afford a 24/7 security geek
standing at their routers
checking the exploits at the door! We can all
afford basic antiviral protection, though.
That's a business decision, and one that affects the
security process. One doesn't have to "stand at the
routers", as you say. All one has to do is understand
what traffic needs to pass through the routers, and
disable the rest...and to be honest, it's really not
as hard as most folks make it out to be. Replicate
the rulesets from your routers on your firewalls, and
alert there. If you allow traffic in to port 80,
redirect it to the public firewall that you've
thoughtfully placed in a DMZ/separate segment.
You may be patting yourself on the back because it
didn't hit you this
time but it was pure luck that it was a patch that
you where aware of.
Letting your guard down is such an amateur and
arrogant mistake.
I haven't let my guard down. I simply take the time
to try and understand the nature of the threats, and
plan accordingly. I don't see anything amateurish or
arrogant in that.
Harlan
------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
