[Dshield] RE: so what's next?

James C. Slora, Jr. Jim.Slora at phra.com
Fri Sep 6 17:33:12 GMT 2002

Cool question - I can't help being a windbag in response.

Ellen Clary wrote:
> We've had 57 varieties of the Klez virus, SQL worms, continuing web-based
> oddities, file sharing nonsense, and the usual M$ goofups.  But nothing
> truly
> new for a while now.

IMO none of the newsworthy attacks have been original ideas - even Nimda was
just a combination of ideas that had already been used by others. I consider
Nimda to be not groundbreaking research, but a market-ready professionally
designed product.

<taken out of order for clarity>
> What's do folks think the next major security issue will be?

We have one or two gazillion web servers that have been compromised in one
way or another since last year. Many of them are "cleaned" by simply running
anti-virus programs until the server seems OK, because rebuilding seems too
cumbersome or because the admins have no idea how bad the compromise really
is. There is probably no way to even guess at how many are rooted at any
given moment.

Customized trojans are the rage of today - what's to stop someone from
launching a Nimda-inspired web page attack from thousands of compromised
servers simultaneously?

Even if we kid ourselves that our users are less likely to fall victim to
social engineering on a hostile page, Bugtraq shows a steady stream of ideas
for delivering nasty stuff to the desktop and executing it without user
intervention. Content filtering can help, but there are always new ideas for
getting around it.

> In light of that, what should we be preparing for /
> learning about?

Everything humanly possible. But I think the first priorities are to have
the deepest possible defenses against known attack methods, to pay attention
to forums like this one, and to use your imagination (especially when
reading software bug reports).

> Just trying to stay a step ahead.

No person can ever be a step ahead. The collective time and intelligence of
the entire human race is balanced against the wits and schedule of each
admin. All we can do is anticipate the obvious, watch for the unexpected,
imagine the unimaginable, and prepare for the aftermath.

The best way to try approach "ahead" is to concentrate on Defense in Depth
and stay clear of Firewall and Forget. No matter how good our defenses, we
are not protected.

Look for areas of complacency:
"We're safe from email viruses because we block executable attachments"
"Our firewall and router configurations block portscans"
"We filter out potentially hostile web content"
"We have completely automated our patch management"

These statements may actually mean:
"We barely look at this stuff any more. We will be hurt and shocked when
someone comes up with yet another way to bypass our protection."

OK enough pontification. I look forward to seeing specific (and hopefully
better) ideas that other might have in response to your great question.

More information about the list mailing list