Re: Vulnerability Scanning Problem

[Curt Wilson <curtw () SIU EDU>]

Hi Russell & all,

I'm mutating this topic into other areas, all good discussion IMHO, but
I will in the future try to not do this as it makes the threads stack
pretty high.

comments in-line

Russell Fulton wrote:
<snip>

> I'm guessing that most of us would agree that current anti virus system
> are now inadequate defence with the worst threats mutating every day (do
> they actually monitor virus total to decide when it's time to release a
> new variant?).

In addition to rootkits, it seems that the various packers make it a lot
harder. I've seen various packers that one particular commercial AV
misses almost every single time I've checked. Thankfully other options
exist. I am not here to evangelize for any vendor, but my own use of
virustotal shows me that BitDefender seems to catch more malware than
anything else. I've not used it in a production environment so I don't
know any other details. Your thoughts appreciated.


 We are now reduced to using snort to detect infected
> machines connecting to controllers.

This is great as long as the controllers are known or in the clear,
using known command sets. Kudos to the bleeding edge threat team for
their snort signatures that help detect fresh malware and botnets. I'd
imagine that more targeted and more serious malware attacks are
utilizing covert channels for C&C that are going to be nearly impossible
to detect in many .edu circumstances, once the bar raises enough for the
garden variety botmaster to start using such techniques.

To move past the limitations of NIDS, I figure that some HIDS agents
could monitor traffic in the clear before it reaches the encryption
layer (maybe some do this already?) and be able to grep for known C&C's
or suspicious patterns. Anyone using HIDS in such a manner? I'd enjoy
learning more about your experiences, on or off-list as appropriate.


 Preventing malware from getting
> privilege to install a root kit is *very* important since once the root
> kit is in place your A-V software is useless -- even if it hasn't been
> disabled already.

If we could just convince most users to use a limited account (hah),
we'd see much less of this from client-side attacks, until the malware
evolves enough to realize that there may be valuable data and access
within the context of that users (non-administrative) security
authority. I'll bet that targeted attacks are already doing this, but
I've not heard much about it. Even if the malware/attacker can't add
something to system startup, it may very well be that access to what's
currently in memory or accessible in that active session is the target.
I think there were some discussions on the DailyDave list about this a
while back, and how hard it would be to find a memory-resident attack
tool that was only used once after the system had been booted. I suppose
you could potentially search the pagefile in some cases. Even the public
metasploit meterpreter is designed to run in memory if I recall
correctly. I can only imagine the covert tools that must exist. However,
I'm getting even further off-topic here and deep into my security tunnel
vision.


> > I don't like the idea of having common authentication credentials on an
> > array of systems for deeper host checks by a network assessment service
> > (risk of cracking and/or interception),
> Many organisations already have AD with domain access to workstations
> for remote maintenance.  I really don't see any other way to manage
> thousands of machines.  There certainly is potential for abuse but the
> alternative of having poorly managed systems seem to be an even greater
> risk.

good point.

> Having tools that get patches on to systems quickly is probably the best
> way to mitigate privilege escalation attacks following client
> compromises.

Are you, or other .edu types actively seeing compromise followed by priv
escalation attacks? Can't drop a rootkit without
root/LocalSystem/Administrator (or equivalent)! We all know they exist,
but I'm not hearing a lot about them used in the wild for Windows
systems. Clearly the various linux kernel exploits that have come out in
the last few years fit the bill, but I'm not seeing as much for Windows.
debploit a few years ago, and maybe a couple of others, but I've not
heard of them being bundled into active malware such as a bot.


   Network scanning can help here too since if you detect
> that one recent patch is missing then it it a prompt for the
> administrator to check why it is missing and in fixing it while also
> making sure that any other missing patches are applied.

It's a good thing for the ease of Microsoft updates but 3rd party client
updates not so easy...flash, java, quicktime, etc. sometimes are
overlooked. We are working on educating our people about the importance
of client-side patching as well.

> To this end I run nxscan over the whole network twice every week and
> every time I pick up a hand full of machines, some are new boxes that
> have been installed but not patched, some are visitor's laptops, some
> are machines that have been sitting in the storeroom for a few months...

nxscan is a very useful tool. I even know of a place that runs it every
hour ;)


> We are also playing with NAC in this sphere and we have a locally build
> client software that we use for network access on student systems which
> we plan to roll out to staff next year.   Ideally the commercial NAC and
> our local software can be integrated.

I'm familiar with Cisco's NAC/Clean Access and have read about a few
other NAC offerings. I suppose this is yet another topic for further
discussion.

<snip>

--
Curt Wilson
IT Network Security Officer
Southern Illinois University Carbondale
618-453-6237

GnuPG key: http://www.infotech.siu.edu/security/curtw.pub.asc