Re: Worms, Air Gaps and Responsibility

["Paul D. Robertson" <paul () compuwar net>]

On Mon, 10 May 2004, Erick Mechler wrote:

> :: > I bet you'd see the same sort of behavior from worms no matter what OS the
> :: > World's critical infrastructures were to run.  If they ran *NIX, you'd see
> :: > more worms targeting those OSs.  There's something to be said for
> :: > heterogenous computing environments.
> ::
> :: Funnily enough, I don't recall a Cisco IOS worm with any traction...
>
> Last time I checked, it's also not considered a server/desktop platform :)

But they are critical infrastructure targets, and they're quite numerous-
both of them potentially making them attractive to disruptive folks.

Now, there are several possibilities as to why they're not often targeted
with automatic malcode:

1.  Lack of platform information (obscurity.)
2.  Cost of platform (availability.)
3.  Specificity of device.
4.  Limited scope of IOS images (IP only vs. Enterprise...)
5.  Killing it kills the attacker's connectivity too.

It may just be the attacker, it may be the platform, or the lack of being
a general purpose device.  Indeed, it may be a combination of all things.

There's way more Cisco devices and Linux devices than say Solaris devices
on the 'Net, but the sadmind worm was probably worse than Lion and Adore-
to me, that says something about platform exposure.  Windows Server 2003
also purports to split some of the RPC risk stuff out- which at least
should help things.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards