Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: Procedure for vulnerability weakness

  1. #11
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by SBerry View Post

    So from what Ive learned from this is, that I must always be on my toes. To be a better admin I must keep track of possible vulnerabilities, especially if I am running the show at major company. I must ensure that I have a network that implements some form if IDS/IPS and has other security procedures to limit access.. just to name a few

    And I must understand that Sh*t happens
    If you're at a major company, then you're not the only one doing the work. It's those of us in the smaller companies that still have very important things to protect but are effectively doing it alone. My place is considered small, but we still have data on over 30,000 customers that we need to protect.

    But you're right, if you're an admin, you have to keep on top of the vulnerabilities. Myself, I subscribe to several different security based RSS feeds. I keep my software up to date as best as I can, I implement multiple layers of security with an IDS system that monitors both inbound and outbound traffic. I keep track of MAC addresses on my network and even when I'm at home, I keep my Network Monitor website running so I can see if there are issues.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  2. #12
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Quote Originally Posted by SBerry View Post
    And I must understand that Sh*t happens
    Actually take it a step or two further.

    • Those you report to or that count on you also need to understand this. (Or reminded of it on a regular basis if they can't understand it).
    • When the sh*t does happen you should be prepared with the "glass half full" point of view. Not what you, your team, or your technology didn't do but what they did do and are continuing to doing to help and protect the business. (If for some weird reason you have to paint it in a negative light then it should be negative re-enforcement of the good things, i.e.: Xyz would have happened if we didn't have IDS. It could have affected n systems instead of just 2 if we weren't on call. Etc.)
    • After the sh*t stops hitting the fan you (your team and maybe management too) should review how things went and see if there's anything that could be done better/differently next time to minimize business impact, etc.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  3. #13
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by SBerry View Post
    I cannot say I agree fully with this. And I don't agree that the worst case that can happen can be a defacement. Yes many small businesses have outsourced their web end but does this not still not apply to web service providers as well?
    Yes, but then the security issues are out of the small business's hands, and fall to their provider.

    Quote Originally Posted by SBerry View Post
    You say that they are usually more experienced in the area. A 0day can just be as dangerous to an experienced admin (web service provider) and to a small self served company.
    Not if they have implemented security in layers. It may be dangerous, but it can usually be dealt with in a more efficient manner.


    Quote Originally Posted by SBerry View Post
    A Worst Case Scenario:
    Going back to my question. What would be a possible solution for remedying a service vulnerability if for example I was admin of a big fortune 500 company or I some company related to the working of the country (wall street) that relied heavily on these services. Would a change in service be necessary to ensure a compromise is not achieved?
    Maybe, maybe not. It could be that drastic, or it might be as simple as blocking a single IP address.

    Quote Originally Posted by SBerry View Post
    I am going to stop here as I think I am dragging the thread out, but I'm just very curious to the way these network admins running these systems are able to sleep at night! As was said I don't think just crossing your fingers is just enough
    No, it is not. But you can also drive yourself mad just trying to cover all the "what if" scenarios.

    Quote Originally Posted by SBerry View Post
    So from what Ive learned from this is, that I must always be on my toes. To be a better admin I must keep track of possible vulnerabilities, especially if I am running the show at major company. I must ensure that I have a network that implements some form if IDS/IPS and has other security procedures to limit access.. just to name a few
    You have to look at what is reasonable and draw the line there.

    Quote Originally Posted by SBerry View Post
    And I must understand that Sh*t happens
    Absolutely. Sometimes despite our best intentions and planning, some things are not within our control.
    Thorn
    Stop the TSA now! Boycott the airlines.

  4. #14
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by Thorn View Post

    No, it is not. But you can also drive yourself mad just trying to cover all the "what if" scenarios.
    IMO, if you don't have meteor strike listed in your disaster plan, then you're slacking off.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  5. #15
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by streaker69 View Post
    IMO, if you don't have meteor strike listed in your disaster plan, then you're slacking off.
    That's the third one down. I rate the sun going nova as more problematic, as then the backups have to be several parsecs away.
    Thorn
    Stop the TSA now! Boycott the airlines.

  6. #16
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by Thorn View Post
    That's the third one down. I rate the sun going nova as more problematic, as then the backups have to be several parsecs away.
    I hear that you can put it in the Kessel system as it's less than 12 parsecs away.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  7. #17
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    just hyperthical, what if a friend of yours found a exploit and was asking you what to do. They say it will bypass all firewalls and most hardware routers switch won't work as they are meant to, and you can use allready made tools to dierctly access computers on the lan. Would you just tell "" to go to vendors or post it on the internet.

    Yeah it sounds stupid but what are the ways

  8. #18
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by compaq View Post
    just hyperthical, what if a friend of yours found a exploit and was asking you what to do. They say it will bypass all firewalls and most hardware routers switch won't work as they are meant to, and you can use allready made tools to dierctly access computers on the lan. Would you just tell "" to go to vendors or post it on the internet.

    Yeah it sounds stupid but what are the ways
    The responsible thing to do would be to report it to vendors first, and then GIVE THEM REASONABLE TIME TO RESPOND. I've read about too many exploits that were released public because the person that found it wanted to make a name for themselves. So they contact the vendor and then release it like 3 days later.

    Plus just sending an email to the default contact page to a vendor is not a good enough way to make contact. Phone calls should be made, if you don't get an answer from the first person you talk to, start climbing the ladder in the company until someone listens to you. Releasing something to the public should be the last resort, not the second.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  9. #19
    Senior Member ShadowKill's Avatar
    Join Date
    Dec 2007
    Posts
    908

    Default

    Quote Originally Posted by streaker69 View Post
    The responsible thing to do would be to report it to vendors first, and then GIVE THEM REASONABLE TIME TO RESPOND. I've read about too many exploits that were released public because the person that found it wanted to make a name for themselves. So they contact the vendor and then release it like 3 days later.

    Plus just sending an email to the default contact page to a vendor is not a good enough way to make contact. Phone calls should be made, if you don't get an answer from the first person you talk to, start climbing the ladder in the company until someone listens to you. Releasing something to the public should be the last resort, not the second.
    Well put. As it stands, I have a vulnerability I discovered about two months ago and am giving the company until new years eve, when I will publicly announce the vulnerability and supporting PoC code. The last thing you want is to expose a company too soon and put them and their user/customer base in jeopardy for a claim to fame. Let them know, give them ample time to fix or draw up an announcement regarding the issue(s), and then release it if you so desire. Then nobody can say you acted in haste and without regard to those affected, and you will likely get the recognition you deserve anyway.

    Also, compaq, there's a difference between an exploit and a vulnerability. An exploit is the way a vulnerability is leveraged to gain access, escalate priveledges, deny service, etc etc. A vulnerability is simply the flaw itself, not the means to manipulate that flaw. Just some friendly FYI.



    "The goal of every man should be to continue living even after he can no longer draw breath."

    ~ShadowKill

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •