Educause Security Discussion mailing list archives
Re: Vulnerability Scanning Problem
From: Curt Wilson <curtw () SIU EDU>
Date: Fri, 15 Dec 2006 15:18:02 -0600
Hi Russell & all, I'm mutating this topic into other areas, all good discussion IMHO, but I will in the future try to not do this as it makes the threads stack pretty high. comments in-line Russell Fulton wrote: <snip>
I'm guessing that most of us would agree that current anti virus system are now inadequate defence with the worst threats mutating every day (do they actually monitor virus total to decide when it's time to release a new variant?).
In addition to rootkits, it seems that the various packers make it a lot harder. I've seen various packers that one particular commercial AV misses almost every single time I've checked. Thankfully other options exist. I am not here to evangelize for any vendor, but my own use of virustotal shows me that BitDefender seems to catch more malware than anything else. I've not used it in a production environment so I don't know any other details. Your thoughts appreciated. We are now reduced to using snort to detect infected
machines connecting to controllers.
This is great as long as the controllers are known or in the clear, using known command sets. Kudos to the bleeding edge threat team for their snort signatures that help detect fresh malware and botnets. I'd imagine that more targeted and more serious malware attacks are utilizing covert channels for C&C that are going to be nearly impossible to detect in many .edu circumstances, once the bar raises enough for the garden variety botmaster to start using such techniques. To move past the limitations of NIDS, I figure that some HIDS agents could monitor traffic in the clear before it reaches the encryption layer (maybe some do this already?) and be able to grep for known C&C's or suspicious patterns. Anyone using HIDS in such a manner? I'd enjoy learning more about your experiences, on or off-list as appropriate. Preventing malware from getting
privilege to install a root kit is *very* important since once the root kit is in place your A-V software is useless -- even if it hasn't been disabled already.
If we could just convince most users to use a limited account (hah), we'd see much less of this from client-side attacks, until the malware evolves enough to realize that there may be valuable data and access within the context of that users (non-administrative) security authority. I'll bet that targeted attacks are already doing this, but I've not heard much about it. Even if the malware/attacker can't add something to system startup, it may very well be that access to what's currently in memory or accessible in that active session is the target. I think there were some discussions on the DailyDave list about this a while back, and how hard it would be to find a memory-resident attack tool that was only used once after the system had been booted. I suppose you could potentially search the pagefile in some cases. Even the public metasploit meterpreter is designed to run in memory if I recall correctly. I can only imagine the covert tools that must exist. However, I'm getting even further off-topic here and deep into my security tunnel vision.
I don't like the idea of having common authentication credentials on an array of systems for deeper host checks by a network assessment service (risk of cracking and/or interception),Many organisations already have AD with domain access to workstations for remote maintenance. I really don't see any other way to manage thousands of machines. There certainly is potential for abuse but the alternative of having poorly managed systems seem to be an even greater risk.
good point.
Having tools that get patches on to systems quickly is probably the best way to mitigate privilege escalation attacks following client compromises.
Are you, or other .edu types actively seeing compromise followed by priv escalation attacks? Can't drop a rootkit without root/LocalSystem/Administrator (or equivalent)! We all know they exist, but I'm not hearing a lot about them used in the wild for Windows systems. Clearly the various linux kernel exploits that have come out in the last few years fit the bill, but I'm not seeing as much for Windows. debploit a few years ago, and maybe a couple of others, but I've not heard of them being bundled into active malware such as a bot. Network scanning can help here too since if you detect
that one recent patch is missing then it it a prompt for the administrator to check why it is missing and in fixing it while also making sure that any other missing patches are applied.
It's a good thing for the ease of Microsoft updates but 3rd party client updates not so easy...flash, java, quicktime, etc. sometimes are overlooked. We are working on educating our people about the importance of client-side patching as well.
To this end I run nxscan over the whole network twice every week and every time I pick up a hand full of machines, some are new boxes that have been installed but not patched, some are visitor's laptops, some are machines that have been sitting in the storeroom for a few months...
nxscan is a very useful tool. I even know of a place that runs it every hour ;)
We are also playing with NAC in this sphere and we have a locally build client software that we use for network access on student systems which we plan to roll out to staff next year. Ideally the commercial NAC and our local software can be integrated.
I'm familiar with Cisco's NAC/Clean Access and have read about a few other NAC offerings. I suppose this is yet another topic for further discussion. <snip> -- Curt Wilson IT Network Security Officer Southern Illinois University Carbondale 618-453-6237 GnuPG key: http://www.infotech.siu.edu/security/curtw.pub.asc
Current thread:
- Re: Vulnerability Scanning Problem, (continued)
- Re: Vulnerability Scanning Problem Michael Hornung (Dec 11)
- Re: Vulnerability Scanning Problem Wang Cheng (Dec 11)
- Re: Vulnerability Scanning Problem Wyman Miles (Dec 12)
- Re: Vulnerability Scanning Problem Graham Toal (Dec 12)
- Re: Vulnerability Scanning Problem Curt Wilson (Dec 12)
- Re: Vulnerability Scanning Problem Russell Fulton (Dec 12)
- Re: Vulnerability Scanning Problem Curt Wilson (Dec 13)
- Re: Vulnerability Scanning Problem Michael Hornung (Dec 13)
- Re: Vulnerability Scanning Problem Mike Wiseman (Dec 13)
- Re: Vulnerability Scanning Problem Russell Fulton (Dec 13)
- Re: Vulnerability Scanning Problem Curt Wilson (Dec 15)
- Re: Vulnerability Scanning Problem Randy Marchany (Dec 15)