Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-07-24 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

AV Diversification, Next Generation Network Defense

Published: 2004-07-24
Last Updated: 2004-07-24 22:57:29 UTC
by Dave Brookshire (Version: 1)
0 comment(s)
Anti-Virus Protection Through Diversification, Handler Soap Box

An important maxim is "Defense In-depth," or protecting your assets through multiple layers of security mechanisms. A key part of this strategy should also include "Defense Through Diversification," not relying on the components from any single vendor in these different layers.

In this age of zero-day virus infections that spread rapidly through our computers on the Internet, relying on a single Anti-virus application to protect your entire enterprise may leave you exposed to threats which that vendor's products can not, yet, detect.

Gary Robinson, of 2Wise Guys PC Repair, e-mailed the Handlers today with just such a situation, where a virus was not detected by Norton Anti-Virus, but was successfully quarantined by Grisoft's AVG.

A comprehensive in-depth and diversified anti-virus solution could employ one anti-virus solution on their e-mail server or gateway, then another product on users' workstations. Going further, a network-based content filter could be deployed at the network border. By layering these pieces from different companies, your odds of successfully detecting and managing a new infection increase significantly.

Next Generation Network Defense

Scott Weil, the director of the
SANS Local Mentor Program, had an opportunity to meet with about 40
students from a Midwest math and science academy on Friday to discuss
network security. The students ranged in age from 10 to 15 years old.

Prior to beginning his talk on ways that kids can surf safely online,
Scott divided the room into two groups. One group was told to design an
attack on the school's network, the other group was told to defend
against an attack. After discussing it for a few moments, each group
was asked to explain to Scott and the rest of the students what they
decided.

The level of understanding at this age is shocking. Briefly, here is
what each group said they would do.

Attacking group:

- Map the network to find the computers

- Map the connections

- Understand the details of the OS--they all said they hoped the OS was
Windows; they were going to research all known vulnerabilities of
Windows to plan the attack

- Attack the network by installing a virus via a memory stick onto a
node of the network and then engineer a denial of service attack via
spam emails

- Disable antivirus software on the network, although they didn't say
how


Defending group:

- Use Macs as the operating system because its Unix operating system was
more secure than Windows

- Make sure their anti-virus software was well tuned and current

- Monitor the firewall for any unusual activity

- Install a network tracker to document any illegal activities and then
call in the local law enforcement

- Make sure that they had applied the latest patches to every piece of
software and hardware on their network


Each group appointed a spokesperson for the group. The leader for the
defense of the network and perimeter was a 10 year old.

Brute Force PW Scans Submissions

The Handlers have received a number of submissions in regards to Tom's request, yesterday, for logs of possible brute-force authentication attempts against SSH. Thanks to all those who have responded. Please continue (or start) to check your logs for failed login attempts, and submit them to the Handlers group.

http://www.incidents.org/diary.php?date=2004-07-23

Reading Room

Last week, there was a thread on the Security Focus Firewalls list regarding egress filtering. So, your Saturday evening reading material is an oldy, but a goody. This paper was written by Chris Brenton back in February, 2000, and discusses this topic, and provides practical implementation examples for several different types of routers/firewalls.

Warning, clicking on this link and downloading the paper may falsely trigger some personal firewalls, due to a string contained within that some mistake as a threat. You may permit this to be accessed without fear of infection!

http://www.sans.org/rr/papers/index.php?id=1059

Thread reference:

http://www.securityfocus.com/archive/129/369717/2004-07-21/2004-07-27/1
----------------------------------------------------

Handler on Duty - Dave Brookshire <dsbATrlxDOTcom>
Keywords:
0 comment(s)
Diary Archives