Re: [Full-disclosure] A Botted Fortune 500 a Day
Hi Steven,
I believe security of an organisation is orthogonal to the number of
employees/users and how savvy they are. It depends more on the will
and resources to secure the network properly. Two, corporations do
have many financial incentives to make sure they are secure - if they
are doing their risk analyses properly, they can see that. So, yes I
do expect them to fare better - a lot better - than ISPs. More
comments are in-line.
On 13/04/07, Steven Adair <steven@xxxxxxxxxxxxxxxx> wrote:
> On 13/04/07, Steven Adair <steven@xxxxxxxxxxxxxxxx> wrote:
>> Is this in anyway surprising? I think we all know the answer is no.
>> Many
>> Fortune 500 companies have more employees than some ISPs have customers.
>> Should we really expect differently?
>
> Yes! Off the top of my head:
>
> 1. Corporations should have more of an economic incentive to prevent
> compromises on their internal networks. E.g. "TJX breach could cost
> company $1B" -
> http://weblog.infoworld.com/zeroday/archives/2007/04/tjx_breach_coul.html
> Now, a typical spambot will cost almost nothing compared with that,
> but the point is you don't know the extent of the compromise until
> you've examined the machines involved.
>
You list incentives but this doesn't mean I should really expect any
differently. You are also equating a compromise into TJ MAXX servers for
which details have not been given. I doubt and hope the same user that's
an account for TJ MAXX and using e-mail isn't conencted or able to get to
a server that processes credit card transactions.
A compromise is a compromise and you don't know the extent until
you've looked at everything. If one of your machines is spewing spam,
how do you know it is also not leaking confidential data to a third
party? Any compromise has the potential to be *extremely* costly.
> 2. Corporations have a lot more influence over their employee's
> behaviour than ISPs do over their customers. Customers can walk away
> to a new ISP with minimal fuss if sanctions are threatened.
Well this is true but you seem to be missing the point of the comparison.
These are large corporations with tens of thousands (some more, some less)
that are geographically dispersed across the countries. This isn't a
small shop of 50 elite IT users. This is probably like most other places
were 90% of the users can barely use Microsoft Word and Excel. Once
again.. do I expect differently? No.
There is no reason for an admin to let users compromise the company's
security. If the company cares about security, they can disable admin
rights, lock down the firewall and run an IDS.
I can buy the argument that most companies don't care sufficiently,
but this is really orthogonal to the number and experience level of
their users.
> 3. Corporations can lock down their firewalls a lot tighter than ISPs
> can. If my ISP blocked the way my employer does, I would be looking
> for a new ISP.
>
Sure they can in some instances. How would locking down a firewall stop
this e-mail from going out? Maybe you can lock down SPAM firewalls but
that doesn't stop the root cause. You have 100,000 users at a Fortune 500
company with admin access to their Windows laptops. Are you going to
block them form using the Internet and using e-mail? If not I am going to
continue to expect them to keep getting infected.
Block the infection vectors: screen email, http and ftp traffic. No
personal laptops on company networks. No admin rights as far as
possible. Monitor and react to new vectors and threats as they arise.
Yes, I would disable people's Internet access - in fact all intranet
access too. My main interaction with Cisco kit to date is shutting
down Ethernet ports and re-enabling them after the problem has been
resolved. If there's an incident, the plug gets pulled until someone
has examined the machine, and if necessary reinstalled from known good
media.
> 4. ISPs don't own the data on their customer's computers. Corps very
> much do own most of the data on their employees computers. Therefore
> they need to worry about confidentiality in a way that ISPs do not.
>
Well usually corporations not only own the data on the machines, they own
the computers themselves as well. You are equating a need and want for
protection with what would really be expected.
They have a financial incentive to look after their machines, so I do
expect them to look after them. An ISP has no such incentive to look
after their customer's machines.
> I used to look after security at a large-ish university and odd
> activity would stand out because there the baseline was largely
> 'normal' traffic. ISPs have little chance to detect 'odd' behaviour
> because everyone is doing 'odd' things. Corps should only have a very
> few 'odd' things happening on their networks and a single outgoing
> portscan or IRC session are grounds for serious concern. (Assuming IRC
> is forbidden by policy - if not, you can still profile the IRC servers
> you expect to be talking to and those you don't.) It's not hard to
> find infected machines at a corp.
>
Not sure last time you ever looked at XDCC/iroffer bots, but they can
range from 10-50% .edu hosts. Universities are ripe for the picking.
I've participated in UNISOG related lists and I know it's getting better
and just like any organization it can very from location to location. I
don't expect anything different here either.
Yes, I've seen that. Having not worked at any of those particular
university, I can't comment on their setups. We immediately pulled the
plug on the occasional bots we had on our network. (If you're allowing
personal gear onto your network you will always get a few incidents.)
There's a field in most mail programs where you can enter in an
SMTP/IMAP/Exchange address etc. This allows you to send e-mail using that
server.
Not any networks I configure. You have to be internal, or you have to
authenticate - or no email.
My favourite quote at the moment is: "there are people who will try
anything to secure their networks, except design them correctly,
control the access levels within them, segment their networks,
understand their traffic, and monitor things closely." - Marcus Ranum.
Securing a network is not a black art any more, it just requires a lot
of corporate willpower to implement a useful security policy.
cheers,
Jamie
--
Jamie Riden, CISSP / jamesr@xxxxxxxxxx / jamie@xxxxxxxxxxxxxxx
UK Honeynet Project: http://www.ukhoneynet.org/