Re: Definition of Zero Day Protection

[Devdas Bhagat <devdas () dvb homelinux org>]

On 09/08/04 10:29 -0700, Drew Copley wrote:
<snip>
> Unfortunately, security is usually a reactive endeavour, rather then
> proactive. (And, proactive security is typically reactive security
> dressed up so you don't feel so bad.)

Proactive security is designing your systems so that they aren't easy to
break. This includes, and is not limited to, access limitation for
services through firewalls (both the packet filtering and proxy type),
access limiting to users for services, access limiting users to specific
programs only, having strong and enforced security policies, not running
programs with holes like Internet Explorer, having up to date virus
definitions on Windows systems, properly configured bastion hosts,......

Design this into your system, implement it and then bother about the IDS
part of it to report on what was missed. If you don't have the first,
you are being too hasty in implementing the second.

As part of my definition of IDS, I include log analysers, checksumming
tools like tripwire/aide, network IDSes like snort, etc. 

Once you limit your security exposure to very few services, then you can
know what kind of attacks to deal with most of the time. There is no
silver bullet though.

A new exploit method is a very rare event. It is usually the same
methods exploiting various similar holes at different locations in the
programs. 

A true zero day exploit detection tool would catch a new class of exploit
and take some action on it. A useful tool would flag certain types of
traffic as suspicious.

> These things are not security hype. Neither is protection from them. 

0 day exploits are not as bad as they appear to be. They are extremely
rare, but they represent the extreme edge of the unknown. "An attack that
you do not know about cannot be prevented" is what is so scary about the
0 day exploit. Instead if we consider that having a good security
design and and a good implementation of that design prevent most of
those attacks, the risk evaluation can be done much better.

(No, I do not believe that mere packet filtering firewalls are a good
design by themselves. They cut out the noise, but they should not be the
only components of your firewall).

> If a single bugfinder goes "rogue", you will see these kinds of attacks.
> Likely, as bugfinders tend to be somewhat rogue in the firstplace, there
> are a lot more going on then we already know about. And, there is an
> increasing number of qualified bugfinders. 
>
> This trend will inevitably increase.
>
> So, no, it is not marketing hype, and yes, it should be a concern. It
> should be more of an immediate concern for military and financial
> institutions, as they tend to have more valuable data and are the first
> targets for most attackers. However, anyone with a credit card database
> or serious corporate secrets is a possible target.

Actually, anyone is a serious target. A new exploit method for Internet
Explorer combined with a Javascript bug for Outlook Express will be a
very tempting target for spammers/scammers/people in the business of
selling zombie networks.

Where we go wrong is in looking at the low volume high margin clientele
as zero day exploit targets. The deadliest attack would be one that
gains control over all those unpatched Windows systems and then uses
them to launch further attacks.

Devdas Bhagat

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------