[unisog] AV for MACS - Additional Info as requested - THANKS

Jim Dillon Jim.Dillon at cusys.edu
Tue Dec 7 19:01:01 GMT 2004

Groan. Thanks to Richard for the deeper look.  Looks like a duck, smells like a duck, and me with feathers in my mouth!  

I had so hoped for a better basis than that - the SBS and Linux numbers had be thinking there was more here.  I'm constantly fighting the perception that the only thing attacked is Win (which is obviously) and that I can buy my alternate OS and forget about any security responsibilities that I was perhaps too hopeful this would be the telling study.  I'm always arguing that an alternative OS isn't a bad idea, but you still need the basics - access control, monitoring, thoughtful handling and disposal practices, the stuff that at least beats the top 20 lists.  I keep and pigeon hole all the SANS announcements on new bugs hitting OSs other than Win, and I was really hoping, perhaps too much, that this test would pan out with real data that could be influential.

I find that people who think their box is secure (I've got a firewall! or I've got a <name your alternative system>) tend to give up on good practice, especially monitoring, detective types of things, and simple everyday precautions such as logging off, using reasonable passwords, and they tend to ignore campus policies as "not applicable" due to this reasoning.  Hopefully anyone on this list can see that isn't sound thinking, but I'm still hoping for more strong data to help.

Since this one looks like it isn't going to fit the bill, anyone else have something you've found convincing and successful?  Send me off list, I've burned my quota here for a while.

Thanks to Steven for the named list of multi-path infectors, that's very helpful.  Thanks also to Karl for a sound and reasoned response to the cost-benefit question.  I still think it is a little to narrow sighted - sensitive data breaches need to fit into that cost benefit question, and no matter where they occur (small shop in the dungeon of the U), the end total cost to the U has been a $million or more in the few cases I've studied, and the platform hasn't mattered.  Thanks for the feedback.


-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org]On Behalf Of Richard Godbee
Sent: Tuesday, December 07, 2004 7:16 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] AV for MACS - Additional Info as requested

On Dec 6, 2004, at 2:55 PM, Jim Dillon wrote:

> http://www.usatoday.com/tech/news/computersecurity/hacking/2004-11-29- 
> honeypot_x.htm

The following PDF has more information than the press release and USA  
Today story:

Things that bothered me about their report:

- They never defined what they considered an attack.
- All of the Windows systems in their test were configured with an  
account with Administrator privileges and a password of "password".
- They claim "Windows XP SP1 does not include an integrated firewall  
application ..."
- They claim OS X survived because all of the attacks were  
Windows-specific.  It is further implied that the OS X machine would  
have been "very vulnerable" if someone had just bothered to write an  
exploit or two.  (It couldn't be that OS X has almost no programs  
listening on external interfaces out of the box!  No way!)
- Avantgarde is a marketing company, and various articles found with  
Google imply Zone Labs had a hand in the study.  By the end of the  
report, I felt like I was reading a vendor-supplied white-paper about  
personal firewall software.  (Must ... buy ... firewall ... software  
... *drool*)

Richard Godbee, Unix Systems Administrator
Department of Geosciences, Virginia Tech
4044 Derring Hall (0420), Blacksburg, VA 24061
rwg at vt.edu / +1.540.231.7002 / +1.540.231.3386 (FAX)

unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list