sasser virus (was Re: [unisog] student fees for cleaning.)
huba at uidaho.edu
Sat May 8 06:18:57 GMT 2004
I would suggest you do not let a bad past experience with one scanning tool
influence you so strongly against scanning at all. (With permission of
course from your upper management.) Nessus and other scanners have come a
long way. With a little experience in a test environment you can safely
scan all systems on your network--especially for the problem of the day
thereby adding a useful tool to your proactive toolbelt.
In a security world of mostly reactive the proactive things can be quite
delicious. We do WAM (whack-a-mole*) and SCAN. A SCAN report goes to
domain administrators daily including a summary sorted by worst offenders.
This tends to close the vulnerability gap quickly as departmental/domain
admins have motivation to not see their domain show up in the "Still
unpatched for MS04-XXX" list for example. Everytime we WAM someone we
generate a tracking ticket which means more time spent ensuring the system
is indeed properly taken care of, documenting this and closing said ticket.
The more people we can proactively get to not be a victim the happier
A couple other things that are tasty about narrow-focus vulnerability
scanners. You can rip through even a class B in minutes. So instead of
running a scan once a day you can run it periodically at different times
throughout the day (mid morning, lunch, mid afternoon, evening) and combine
the results for a more exhaustive picture of who is indeed vulnerable.
Scanning once a day you miss quite a few systems that over the course of a
day may be on for a portion of the time. And if someone was vulnerable at
9:00am but patched at noon now you can take them off the list prior to
generating your daily report and reduce the calls back complaining that your
scan results are bogus since they patched between your scan and the time you
sent your report out.
Huba Leidenfrost <huba at uidaho.edu>
IT Security Analyst
University of Idaho, MailStop 443155
*"I don't like WAM! I don't like WAM!" - to the tune of Monty Python's "I
Don't Like Spam!" The term WAM is a reference to the kids arcade game where
you whack the gator or mole with a batt. It starts off slow then progresses
quicker and quicker until no matter how fast your reflexes you end up
missing some of them. Our automated program to find (via ARP searches,
modem pool logs, & DHCP logs) and disable network ports as close as possible
to the edge where they are plugged in is naturally called WAM.pl. :-)
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
On Behalf Of Peter Van Epp
Sent: Friday, May 07, 2004 2:42 PM
To: UNIversity Security Operations Group
Subject: Re: sasser virus (was Re: [unisog] student fees for cleaning.)
> Do you have any stats on the number of computers on your campus that
> were/are unpatched and vulnerable to LSASS exploits?
No. We don't scan the network looking for vunarable machines without
the owner's permission. Our experience with Nessus scans says that it
sometimes causes the machine to reboot. Therefore we will take the hit of an
infected machine getting out for a while before being detected and whacked.
The down side is we don't know how many machines out there are still
vunarable. So far that policy has worked fine. If it stops working fine I
expect we will revisit it :-).
Peter Van Epp / Operations and Technical Support Simon Fraser University,
Burnaby, B.C. Canada
unisog mailing list
unisog at lists.sans.org
More information about the unisog