Procedure for vulnerability weakness

[streaker69]

So from what Ive learned from this is, that I must always be on my toes. To be a better admin I must keep track of possible vulnerabilities, especially if I am running the show at major company. I must ensure that I have a network that implements some form if IDS/IPS and has other security procedures to limit access.. just to name a few

And I must understand that Sh*t happens

If you're at a major company, then you're not the only one doing the work. It's those of us in the smaller companies that still have very important things to protect but are effectively doing it alone. My place is considered small, but we still have data on over 30,000 customers that we need to protect.

But you're right, if you're an admin, you have to keep on top of the vulnerabilities. Myself, I subscribe to several different security based RSS feeds. I keep my software up to date as best as I can, I implement multiple layers of security with an IDS system that monitors both inbound and outbound traffic. I keep track of MAC addresses on my network and even when I'm at home, I keep my Network Monitor website running so I can see if there are issues.

[thorin]

And I must understand that Sh*t happens

Actually take it a step or two further.

• Those you report to or that count on you also need to understand this. (Or reminded of it on a regular basis if they can't understand it).
• When the sh*t does happen you should be prepared with the "glass half full" point of view. Not what you, your team, or your technology didn't do but what they did do and are continuing to doing to help and protect the business. (If for some weird reason you have to paint it in a negative light then it should be negative re-enforcement of the good things, i.e.: Xyz would have happened if we didn't have IDS. It could have affected n systems instead of just 2 if we weren't on call. Etc.)
• After the sh*t stops hitting the fan you (your team and maybe management too) should review how things went and see if there's anything that could be done better/differently next time to minimize business impact, etc.

[Thorn]

I cannot say I agree fully with this. And I don't agree that the worst case that can happen can be a defacement. Yes many small businesses have outsourced their web end but does this not still not apply to web service providers as well?

Yes, but then the security issues are out of the small business's hands, and fall to their provider.

You say that they are usually more experienced in the area. A 0day can just be as dangerous to an experienced admin (web service provider) and to a small self served company.

Not if they have implemented security in layers. It may be dangerous, but it can usually be dealt with in a more efficient manner.

A Worst Case Scenario:
Going back to my question. What would be a possible solution for remedying a service vulnerability if for example I was admin of a big fortune 500 company or I some company related to the working of the country (wall street) that relied heavily on these services. Would a change in service be necessary to ensure a compromise is not achieved?

Maybe, maybe not. It could be that drastic, or it might be as simple as blocking a single IP address.

I am going to stop here as I think I am dragging the thread out, but I'm just very curious to the way these network admins running these systems are able to sleep at night! As was said I don't think just crossing your fingers is just enough

No, it is not. But you can also drive yourself mad just trying to cover all the "what if" scenarios.

So from what Ive learned from this is, that I must always be on my toes. To be a better admin I must keep track of possible vulnerabilities, especially if I am running the show at major company. I must ensure that I have a network that implements some form if IDS/IPS and has other security procedures to limit access.. just to name a few

You have to look at what is reasonable and draw the line there.

And I must understand that Sh*t happens

Absolutely. Sometimes despite our best intentions and planning, some things are not within our control.

[streaker69]

No, it is not. But you can also drive yourself mad just trying to cover all the "what if" scenarios.

IMO, if you don't have meteor strike listed in your disaster plan, then you're slacking off.

[Thorn]

IMO, if you don't have meteor strike listed in your disaster plan, then you're slacking off.

That's the third one down. I rate the sun going nova as more problematic, as then the backups have to be several parsecs away.

[streaker69]

That's the third one down. I rate the sun going nova as more problematic, as then the backups have to be several parsecs away.

I hear that you can put it in the Kessel system as it's less than 12 parsecs away.

[compaq]

just hyperthical, what if a friend of yours found a exploit and was asking you what to do. They say it will bypass all firewalls and most hardware routers switch won't work as they are meant to, and you can use allready made tools to dierctly access computers on the lan. Would you just tell "" to go to vendors or post it on the internet.

Yeah it sounds stupid but what are the ways

[streaker69]

just hyperthical, what if a friend of yours found a exploit and was asking you what to do. They say it will bypass all firewalls and most hardware routers switch won't work as they are meant to, and you can use allready made tools to dierctly access computers on the lan. Would you just tell "" to go to vendors or post it on the internet.

Yeah it sounds stupid but what are the ways

The responsible thing to do would be to report it to vendors first, and then GIVE THEM REASONABLE TIME TO RESPOND. I've read about too many exploits that were released public because the person that found it wanted to make a name for themselves. So they contact the vendor and then release it like 3 days later.

Plus just sending an email to the default contact page to a vendor is not a good enough way to make contact. Phone calls should be made, if you don't get an answer from the first person you talk to, start climbing the ladder in the company until someone listens to you. Releasing something to the public should be the last resort, not the second.

[ShadowKill]

The responsible thing to do would be to report it to vendors first, and then GIVE THEM REASONABLE TIME TO RESPOND. I've read about too many exploits that were released public because the person that found it wanted to make a name for themselves. So they contact the vendor and then release it like 3 days later.

Plus just sending an email to the default contact page to a vendor is not a good enough way to make contact. Phone calls should be made, if you don't get an answer from the first person you talk to, start climbing the ladder in the company until someone listens to you. Releasing something to the public should be the last resort, not the second.

Well put. As it stands, I have a vulnerability I discovered about two months ago and am giving the company until new years eve, when I will publicly announce the vulnerability and supporting PoC code. The last thing you want is to expose a company too soon and put them and their user/customer base in jeopardy for a claim to fame. Let them know, give them ample time to fix or draw up an announcement regarding the issue(s), and then release it if you so desire. Then nobody can say you acted in haste and without regard to those affected, and you will likely get the recognition you deserve anyway.

Also, compaq, there's a difference between an exploit and a vulnerability. An exploit is the way a vulnerability is leveraged to gain access, escalate priveledges, deny service, etc etc. A vulnerability is simply the flaw itself, not the means to manipulate that flaw. Just some friendly FYI.