Re: [Full-disclosure] A Botted Fortune 500 a Day
Just to add my two cents...
The fact is that the cost in damages of a single compromise is usually far
greater than the cost of implementing and maintaining good security. TJX is
a golden example of that.
On 4/13/07 11:05 AM, "Jamie Riden" <jamie.riden@xxxxxxxxx> wrote:
> Hi Steven,
>
> I believe security of an organisation is orthogonal to the number of
> employees/users and how savvy they are. It depends more on the will
> and resources to secure the network properly. Two, corporations do
> have many financial incentives to make sure they are secure - if they
> are doing their risk analyses properly, they can see that. So, yes I
> do expect them to fare better - a lot better - than ISPs. More
> comments are in-line.
>
> On 13/04/07, Steven Adair <steven@xxxxxxxxxxxxxxxx> wrote:
>>> On 13/04/07, Steven Adair <steven@xxxxxxxxxxxxxxxx> wrote:
>>>> Is this in anyway surprising? I think we all know the answer is no.
>>>> Many
>>>> Fortune 500 companies have more employees than some ISPs have customers.
>>>> Should we really expect differently?
>>>
>>> Yes! Off the top of my head:
>>>
>>> 1. Corporations should have more of an economic incentive to prevent
>>> compromises on their internal networks. E.g. "TJX breach could cost
>>> company $1B" -
>>> http://weblog.infoworld.com/zeroday/archives/2007/04/tjx_breach_coul.html
>>> Now, a typical spambot will cost almost nothing compared with that,
>>> but the point is you don't know the extent of the compromise until
>>> you've examined the machines involved.
>>>
>>
>> You list incentives but this doesn't mean I should really expect any
>> differently. You are also equating a compromise into TJ MAXX servers for
>> which details have not been given. I doubt and hope the same user that's
>> an account for TJ MAXX and using e-mail isn't conencted or able to get to
>> a server that processes credit card transactions.
>
> A compromise is a compromise and you don't know the extent until
> you've looked at everything. If one of your machines is spewing spam,
> how do you know it is also not leaking confidential data to a third
> party? Any compromise has the potential to be *extremely* costly.
>
>>> 2. Corporations have a lot more influence over their employee's
>>> behaviour than ISPs do over their customers. Customers can walk away
>>> to a new ISP with minimal fuss if sanctions are threatened.
>>
>> Well this is true but you seem to be missing the point of the comparison.
>> These are large corporations with tens of thousands (some more, some less)
>> that are geographically dispersed across the countries. This isn't a
>> small shop of 50 elite IT users. This is probably like most other places
>> were 90% of the users can barely use Microsoft Word and Excel. Once
>> again.. do I expect differently? No.
>
> There is no reason for an admin to let users compromise the company's
> security. If the company cares about security, they can disable admin
> rights, lock down the firewall and run an IDS.
>
> I can buy the argument that most companies don't care sufficiently,
> but this is really orthogonal to the number and experience level of
> their users.
>
>>> 3. Corporations can lock down their firewalls a lot tighter than ISPs
>>> can. If my ISP blocked the way my employer does, I would be looking
>>> for a new ISP.
>>>
>>
>> Sure they can in some instances. How would locking down a firewall stop
>> this e-mail from going out? Maybe you can lock down SPAM firewalls but
>> that doesn't stop the root cause. You have 100,000 users at a Fortune 500
>> company with admin access to their Windows laptops. Are you going to
>> block them form using the Internet and using e-mail? If not I am going to
>> continue to expect them to keep getting infected.
>
> Block the infection vectors: screen email, http and ftp traffic. No
> personal laptops on company networks. No admin rights as far as
> possible. Monitor and react to new vectors and threats as they arise.
>
> Yes, I would disable people's Internet access - in fact all intranet
> access too. My main interaction with Cisco kit to date is shutting
> down Ethernet ports and re-enabling them after the problem has been
> resolved. If there's an incident, the plug gets pulled until someone
> has examined the machine, and if necessary reinstalled from known good
> media.
>
>>> 4. ISPs don't own the data on their customer's computers. Corps very
>>> much do own most of the data on their employees computers. Therefore
>>> they need to worry about confidentiality in a way that ISPs do not.
>>>
>>
>> Well usually corporations not only own the data on the machines, they own
>> the computers themselves as well. You are equating a need and want for
>> protection with what would really be expected.
>
> They have a financial incentive to look after their machines, so I do
> expect them to look after them. An ISP has no such incentive to look
> after their customer's machines.
>
>>> I used to look after security at a large-ish university and odd
>>> activity would stand out because there the baseline was largely
>>> 'normal' traffic. ISPs have little chance to detect 'odd' behaviour
>>> because everyone is doing 'odd' things. Corps should only have a very
>>> few 'odd' things happening on their networks and a single outgoing
>>> portscan or IRC session are grounds for serious concern. (Assuming IRC
>>> is forbidden by policy - if not, you can still profile the IRC servers
>>> you expect to be talking to and those you don't.) It's not hard to
>>> find infected machines at a corp.
>>>
>>
>> Not sure last time you ever looked at XDCC/iroffer bots, but they can
>> range from 10-50% .edu hosts. Universities are ripe for the picking.
>> I've participated in UNISOG related lists and I know it's getting better
>> and just like any organization it can very from location to location. I
>> don't expect anything different here either.
>
> Yes, I've seen that. Having not worked at any of those particular
> university, I can't comment on their setups. We immediately pulled the
> plug on the occasional bots we had on our network. (If you're allowing
> personal gear onto your network you will always get a few incidents.)
>
>> There's a field in most mail programs where you can enter in an
>> SMTP/IMAP/Exchange address etc. This allows you to send e-mail using that
>> server.
>
> Not any networks I configure. You have to be internal, or you have to
> authenticate - or no email.
>
> My favourite quote at the moment is: "there are people who will try
> anything to secure their networks, except design them correctly,
> control the access levels within them, segment their networks,
> understand their traffic, and monitor things closely." - Marcus Ranum.
> Securing a network is not a black art any more, it just requires a lot
> of corporate willpower to implement a useful security policy.
>
> cheers,
> Jamie