Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Procedure for vulnerability weakness

  1. #1
    Junior Member SBerry's Avatar
    Join Date
    Dec 2007
    Posts
    94

    Default Procedure for vulnerability weakness

    I was just thinking about the possible implications of a 0day exploit being released before a patch has been made. I believe usually there is a cool off period, where if a white hat finds an exploit, he does his duty to man-kind and informs the vulnerable vendor.
    But lets say for some reason the vulnerability gets out before a patch has been made. For example, maybe a vulnerability in a OS or a web server vulnerability.

    What should an admin do to prevent compromise of his system? This admin could be looking after a major companies infrastructure.

    If lets say a web server vulnerability is released, what would be the correct procedure in preventing possible attack? Is there any?

    I was thinking maybe having some sort of back-up vendor software just sitting there waiting to be used.

    It would not be feasible for a business to shut down their businesses web end as this would effect online business!

  2. #2
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by SBerry View Post
    I was just thinking about the possible implications of a 0day exploit being released before a patch has been made. I believe usually there is a cool off period, where if a white hat finds an exploit, he does his duty to man-kind and informs the vulnerable vendor.
    But lets say for some reason the vulnerability gets out before a patch has been made. For example, maybe a vulnerability in a OS or a web server vulnerability.

    What should an admin do to prevent compromise of his system? This admin could be looking after a major companies infrastructure.

    If lets say a web server vulnerability is released, what would be the correct procedure in preventing possible attack? Is there any?

    I was thinking maybe having some sort of back-up vendor software just sitting there waiting to be used.

    It would not be feasible for a business to shut down their businesses web end as this would effect online business!
    It would really depend upon how the exploit works to determine what method would be to mitigate the attack.

    If it's something as simple as an attack coming in on a certain port, it would be wise to block that port, as long as doing so doesn't impact doing business as usual.

    A while ago there was a 0-day that had to do with how Windows handled certain pictures. MS wasn't going to have a patch out for 3 weeks, but in the meantime they had a work around which was de-registering a certain DLL. A quick script later, and I had all of our machines fixed up. When the patch was out, everything was ok.

    Part of the problem is, there's lots of 0days out there, and attempts at blocking all of them would probably be an exercise in futility. Follow good security practices, teach your users about suspicious activity, and watch your traffic.

    The last 0day we got hit by, one person executed it upon himself when he got it via an email. During the next training session, he became the example of what not to do, we haven't had an issue since.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  3. #3
    Junior Member SBerry's Avatar
    Join Date
    Dec 2007
    Posts
    94

    Default

    Quote Originally Posted by streaker69 View Post
    there's lots of 0days out there, and attempts at blocking all of them would probably be an exercise in futility.
    To be honest I would say that most companies IT Administration would not be up to date with vulnerabilities and the implications of such. Like I know a few that rely mainly on the MS updates, anti-viral updates, firewall updates etc. They are IT Admins.. but not all of them are security experts.

    My point is I there is a problem here with the training of these people. Thus, a 0day could have horrible consequences to businesses running the vulnerable services.

    You said yourself streaker69 that even with precautions that the stupidity and idiocy of users can cause havoc. I am sure your network is as secure as physically possible. But if a particular vulnerability was identified and a writing a script to inhibit the DLL of an app was not an option. Would you consider for the safety of the network, users and its data, switching services until a patch has been released.

    I am referring to web service vulnerabilities here as most firms have web sites but I am sure that it applies to many other services. And most small to medium sized companies who have these web services don't have full time admin staff.

  4. #4
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    This is why defense in depth is important.

    Yes your software may be vulnerable but hopefully you have IDS/IPS, Firewalls, good coding practices in your web sites, user awareness, log review/monitoring, backups and redundancy, BC/DR plan, etc. in place to help mitigate any zero day concerns. Obviously this will never be 100% secure (no such thing) all you can do is ensure you have multiple layers of protection and cross your fingers.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  5. #5
    Junior Member SBerry's Avatar
    Join Date
    Dec 2007
    Posts
    94

    Default

    Quote Originally Posted by thorin View Post
    This is why defense in depth is important.

    Yes your software may be vulnerable but hopefully you have IDS/IPS, Firewalls, good coding practices in your web sites, user awareness, log review/monitoring, backups and redundancy, etc in place to help mitigate any zero day concerns. Obviously this will never be 100% secure (no such thing) all you can do is ensure you have multiple layers of protection and cross your fingers.
    True.. so your basically relying that the act of god doesn't happen to your firm.
    Quote Originally Posted by thorin View Post
    cross your fingers
    And of course, you will have to cross your fingers that CIO or senior management staff understand this. It would be a shame to loose your job if one of leading financial institutions (example) were compromised and more importantly embarrassed. Its your head

  6. #6
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by SBerry View Post
    I am referring to web service vulnerabilities here as most firms have web sites but I am sure that it applies to many other services.
    Web sites may not be the best example. Most web sites for small businesses are hosted by a provier, and are not on site. For those that do maintain web sites that are self-hosted, they have know their stuff and be aware of vulnerabilities. Even then though, the worst that can usually happen is that they suffer a defacement of the pages. It may be embarrassing, but it's usually not anything more than an inconvenience.

    Once the business starts getting into an area that they have a self-hosted website, and it is tied to something more complex such as a retail sales database, they are usually in a position to have some security knowledge. It may not prevent them from suffering a zero-day, but they are usually more vigilant.
    Thorn
    Stop the TSA now! Boycott the airlines.

  7. #7
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by SBerry View Post
    True.. so your basically relying that the act of god doesn't happen to your firm.
    I don't think Thorin is saying that at all. He is saying that you deal with known and unknown risks by relying on security practices that are properly layered to mitigate problems are much as is reasonably possible. However, no matter what you do, something may happen that is well beyond reasonable security concerns or the available economics.
    Thorn
    Stop the TSA now! Boycott the airlines.

  8. #8
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    True.. so your basically relying that the act of god doesn't happen to your firm.
    It's like insurance. You cover your a__ in as many ways as you see fit (as a results of Cost/Benefit Analysis (CBA) and Threat & Risk Analysis (TRA)).

    Acts of god should be covered by your BCP (Business Continuity Plan) and DRP (Disaster Recovery Plan). If you've properly carried out TRAs on important systems them management should have signed-off accepting any residual risks.

    Quote Originally Posted by SBerry View Post
    And of course, you will have to cross your fingers that CIO or senior management staff understand this. It would be a shame to loose your job if one of leading financial institutions (example) were compromised and more importantly embarrassed. Its your head
    If upper management doesn't understand that there is no such thing as 100% secure, it's not somewhere I'd wanna work very long.

    Quote Originally Posted by Thorn View Post
    I don't think Thorin is saying that at all. He is saying that you deal with known and unknown risks by relying on security practices that are properly layered to mitigate problems are much as is reasonably possible. However, no matter what you do, something may happen that is well beyond reasonable security concerns or the available economics.
    Exactly!
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  9. #9
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by thorin View Post
    It's like insurance. You cover your a__ in as many ways as you see fit (as a results of Cost/Benefit Analysis (CBA) and Threat & Risk Analysis (TRA)).

    Acts of god should be covered by your BCP (Business Continuity Plan) and DRP (Disaster Recovery Plan). If you've properly carried out TRAs on important systems them management should have signed-off accepting any residual risks.
    I got ours changed to CRAP (Comprehensive Recovery Action Plan)
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  10. #10
    Junior Member SBerry's Avatar
    Join Date
    Dec 2007
    Posts
    94

    Default

    Quote Originally Posted by Thorn View Post
    It may be embarrassing, but it's usually not anything more than an inconvenience.
    I cannot say I agree fully with this. And I don't agree that the worst case that can happen can be a defacement. Yes many small businesses have outsourced their web end but does this not still not apply to web service providers as well? You say that they are usually more experienced in the area. A 0day can just be as dangerous to an experienced admin (web service provider) and to a small self served company.

    A Worst Case Scenario:
    Going back to my question. What would be a possible solution for remedying a service vulnerability if for example I was admin of a big fortune 500 company or I some company related to the working of the country (wall street) that relied heavily on these services. Would a change in service be necessary to ensure a compromise is not achieved?

    I am going to stop here as I think I am dragging the thread out, but I'm just very curious to the way these network admins running these systems are able to sleep at night! As was said I don't think just crossing your fingers is just enough

    So from what Ive learned from this is, that I must always be on my toes. To be a better admin I must keep track of possible vulnerabilities, especially if I am running the show at major company. I must ensure that I have a network that implements some form if IDS/IPS and has other security procedures to limit access.. just to name a few

    And I must understand that Sh*t happens

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •