tag:blogger.com,1999:blog-4088979.post112792405621462876..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Rootkits Make NSM More Relevant Than EverRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-4088979.post-1128015355982275832005-09-29T13:35:00.000-04:002005-09-29T13:35:00.000-04:00I concur with Richard, with this caveat. My exper...I concur with Richard, with this caveat. My experience is that signature based systems (host and network) fail too often with both false positives and negatives. I've been focusing on statistical network anomaly detection for a while now. IDS systems like Bro or Snort/Spade, armed with detailed asset risk information can be used to more quickly detect unathorized behavior.<BR/><BR/>So...the terminal is eternally compromisable. Okay. The custom trojan/rootkit that can't be detected by signature mechanisms will still show up in your network session data. Hmmm...why is this box that never talks out to the internet all of a sudden transferring gigabytes at a time to a foreign IP address? Hmm...why has point-to-point DNS (or ICMP) traffic between these two hosts skyrocketed? Etc.<BR/><BR/>Also from personal experience though, advanced detection doesn't always equate to intelligent incident response.<BR/><BR/>YMMV,<BR/><BR/>Random AnalystAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1127966218343008192005-09-28T23:56:00.000-04:002005-09-28T23:56:00.000-04:00Laptops are a huge liability and should only be gi...Laptops are a huge liability and should only be given out to certain people in a company.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1127938468714017802005-09-28T16:14:00.000-04:002005-09-28T16:14:00.000-04:00Couple points. First of all, I think the current t...Couple points. First of all, I think the current trend is towards mobility, and that means laptops in the enterprise. Eventually this will continue on down the "smaller and faster" continuum until PDAs and cell phones take over the office. Only after this mobility swing can we can back to grounded workers...and by then I'll agree: thin is in.<BR/><BR/>Secondly, I agree that most Windows compromises are due to lack of administrative control and bad practices. However, I sympathize with anyone in an enterprise that does not give proper or full risk to security breaches. Unless you are regulated or your reputation will be damaged very badly, most companies go the easy and dangerous route of letting users run as admin, having little software installation protection, and overall poor desktop security. The perimeter is a strong point in most networks now, the internal network is still getting attention, but the desktops...oooh those soft luscious desktops....<BR/><BR/>Combine both points 1 and 2, and you have a formula that explains why I don't sleep some nights. :) (We have many laptops and getting more every week...and we just can't get people to accept more security.)<BR/>-LonerVampAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1127933056984435802005-09-28T14:44:00.000-04:002005-09-28T14:44:00.000-04:00In reality the battle for the desktop PC has been ...<I> In reality the battle for the desktop PC has been lost.</I><BR/><BR/>As sad as it sounds, Richard, you may very well be right. It may be b/c while the good guys have stood around twiddling their thumbs and patting themselves (and each other) on the back, others have subverted the systems.<BR/><BR/>When I was doing research for my book, I located a KB article from the MS PSS Security team, stating that most of the compromised systems they dealt with were compromised as a result of weak or non-existent Admin/root passwords. At that point, is the vendor really to blame, or did the Administrator give away the keys to the kingdom at installation?<BR/><BR/>H. Carvey<BR/>"Windows Forensics and Incident Recovery"<BR/>http://www.windows-ir.com<BR/>http://windowsir.blogspot.comAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1127930822741301182005-09-28T14:07:00.000-04:002005-09-28T14:07:00.000-04:00John,Ok, so you think the Sun Rays from 2-3 years ...John,<BR/><BR/>Ok, so you think the Sun Rays from 2-3 years ago were bad. I am talking about Sun Ray 170s that were just released earlier this year and deployed at my last job. They are good, as far as I was able to judge them.<BR/><BR/>Years ago at BATC Bamm and I used even older Sun Ray technology without problems.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1127929841991147552005-09-28T13:50:00.000-04:002005-09-28T13:50:00.000-04:00Richard, The Sun Rays were crap, at least the on...Richard,<BR/> The Sun Rays were crap, at least the ones 2-3 years ago. SMU Legacy at Plano ACEC has a classroom full of them and the instructors loathed them due to unreliablity. It might be easier for corporations to make use of Live CDs. The technology is mature. WinPE shows that even Windows can run from a RAMDISK, but it's so crippled it's sad. Another alternative is to redirect users folders to a server and reimage the workstation automatically every so often, or if some condition is met. Some Brazilians did this with Linux and Windows on the same platform. The computer ran Windows, but if there was a problem, it could be rebooted into Linux and a new Windows image installed.Anonymousnoreply@blogger.com