[Dshield] Secure computing (was: Port 135)

Russell Washington russ.washington at vaultsentry.com
Tue Oct 29 21:39:08 GMT 2002


> If it's internal, the person is more likely to make a
> minor change or steal some data and not do anything
> else that would be noticed.  If it's external, they are
> less likely to stop at something minor and difficult
> to detect.  

I see your point but I'm not sure I concur.  With regard to the external
hackers, you're describing the behavior of the types that are into big,
splashy, obvious behavior.  Not all external hackers are into this kind of
work.  In fact, I'm more concerned with the folks that are doing something a
little more intelligent; something like putting a keyboard logger on a box
or a sniffer process to snatch more data from the wire without screaming "YO
NETWORK ADMIN I HAVE CONTROL OF YOUR BOX WANT TO COME SEE???" :)

The guys who put "SITE HAXX0R3D BY Y0 M at MA" in 72-point bright red bold on
the corporate website are *not* the ones I'm locking down against with the
firewall.  It's the guys who are going to make my org's life miserable
through intelligence gathering for substantially more nefarious purposes.
Those guys will make themselves hard to detect intentionally and you'll have
a tough time finding them.

I guess the upshot is that I don't see a firewall as being a defense against
only *certain* kinds of attacks (high-profile obvious-damage).  I see it as
being a defense against anything I can use it to defend against,
high-profile or stealth.  In the case of a stealth attack, once they're in,
you're in bad shape whether they're internal or external.  Maybe tweaking a
byte in a data file (internal hacker) is more subtle than running a new
process (external hacker) but I still have on the hunt and freaked out to
look for anything at *either* level.  Figuring most netadmins are in the
same bind, I would imagine that limiting the pure number of hackers who
could get that far would be the most advisable strategy, without regard to
whether they're internal or external.

One point implicit in what you're getting at is the whole "false sense of
security provided by a firewall" thing.  If you had no firewall you would
effectively be forced to better secure the then-unprotected boxes.  But
dang, what a ride... :)

-----Original Message-----
From: Lauro, John [mailto:jlauro at umflint.edu] 
Sent: Tuesday, October 29, 2002 11:27 AM
To: list at dshield.org
Subject: RE: [Dshield] Secure computing (was: Port 135)


> > A hack from the outside will often be easier to detect
> > and less likely to alter sensitive data, compared to
> > if someone internally hacks you.
> 
> Ummm.... How is that?  Unless you're running Tripwire or something 
> similar, you have to go manually dig up compromised data and *notice* 
> that something
> is off.  This applies whether the hacker was inside or outside.  I
think I
> sort of get what you're saying, but can you clarify for the sake of
the
> discussion?

If it's internal, the person is more likely to make a minor change or steal
some data and not do anything else that would be noticed.  If it's external,
they are less likely to stop at something minor and difficult to detect.
They might let it sit for a number of months to see if anyone has noticed
them, but they will not leave it untouched. (assuming the attack was at a
random target and not directed at your site specifically).  An external
intruder will either make very visable changes (deface web site, etc...), or
they will turn the machine into a warez server, or join a DDOS network, all
of which will produce something large enough that is more easily noticeable.

 
> And what do you do about the raw volume of successful attacks you
may be
> exposing yourself to without a firewall vs. with?

According to the vendors, their products are secure...  So there
should not be that many successful attacks.  ;)    (I did say I
recommended this, just as something to think about).

I am just saying...  A person breaking in from the inside could cause far
more subtle damage then a person from the outside would do.  

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list