Last Updated: 2008-07-14 13:46:58 UTC
by Lorna Hutcheson (Version: 3)
I have been asked many by people if I really believed the survival time graph on the ISC site was truly an accurate representation of how long a new system had once connected. The answer to this is yes for most home users and systems that are internet facing. It can be longer depending on the system, what sits in front of it and what it is used for. The survival time is currently around 4 minutes for unpatched systems. That is not much time at all and the window has shrunk over the past couple of years. If you want to do your own experiment by placing a sacrificial system out there, its really a fun thing to do! Don't patch the system and see how long it takes before it receives its first probes and actually becomes compromised. Just make sure you monitor and its not used against others. If you really want to do this, I'd advise checking out the Honeynet Project.
The battle, in my experience, is waged between the admins and management who want to get this system up and working and security who is saying not until its been patched and its security posture confirmed. More than once, I've dealt with a compromise of a system that was place on the network before it was hardened. I got the same answer every time "We needed it working ASAP". However, more time was spent playing clean up from it than if it was just done right the first time.
What I'm really curious about are any experiences that you have had for survival time on the internet that you can share. Please feel free to sanitize them as necessary and let us know if they can be posted. What was placed on the network and why? What was the impact, if any, to other systems? How long was the system out there before it was compromised. Also, if you have been able to use the survival time graph as a method of showing why its important to properly secure a system first, please let us know that too.
Update 1100 UTC by Daniel Wesemann:
ISC reader Dr. Neal Krawetz deliberately exposed the management ports of several brands of cable modem / home router devices to the Internet to see if they would be compromised. Within the week that the experiment lasted, none of them were.
Thorsten Holz from the German Honeynet Project wrote a very interesting blog entry, complete with statistics and graphs, in response to this ISC diary. Read it here http://honeyblog.org/archives/
While the survival time measured varies quite a bit across methods used, pretty much all agree that placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn't bet on in Vegas. Using a NAT router and a correctly configured personal firewall is the way to go - both these measures help a lot to improve the odds in favor or your PC.