Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Insider threat study, and Fun in the trenches, Windows surprise update, Why is change control a good idea? SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Insider threat study, and Fun in the trenches, Windows surprise update, Why is change control a good idea?

An interesting report came out of the CMU CERT



Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors


http://www.cert.org/archive/pdf/insidercross051105.pdf
Thanks Adrien for pointing this out.


Windows update


A new Windows Installer 3.1 has appeared in Windows update and an SUS server near you. Unannounced (as far as I am aware). Not really a security issue but it could be.

Some fun in the trenches or Why change control?



What happens when you install something new on your network and then you begin to have problems? You blame the something new right? What about when the something new is having problems and then new problems appear? You again blame that something new, especially when the something new is a firewall right? Well, it is not always the firewall's fault. If you do not know who is plugging things into your network, you'd better find out now.




Company X bought some shiny new firewalls and had a consultant put them in. Now Company X has nice shiny VPNs connecting them to their messaging and file storage with a fancy low cost WAN. Wow everything is great. Then after some packet loss, and some other issues ,the VPNs were deemed really nice but not perfect. After a few adjustments they could live with it though.




...And then bang one site starts to have intermittent connectivity loss. In fact the default gateway starts to generate ICMP Network Unreachable messages for anything off site. This comes and goes. What could that be? Well after the new firewalls get their thrashing for being the bad newguys on the block, it is time to get out your packetsniffer and look at who is sending those ICMP messages 'cause it is not the default gateway.




If anyone can plug anything they want into your network, they will and if that thing happens to be a Linksys router with the same IP address as your default gateway, then you might see these ICMP net unreachables from some other MAC address than the default gatway.




Okay so this is basic stuff, whats the point? Part of the C-I-A triad is availability, if anyone can take your network down with a simple IP conflict then you are at risk. What else are you at risk for? The simplest resolution is to implement change control. This means many things to many people, for some in large corporations it means 24 hour follow the sun meetings, for others it means that someone approves any changes to the network before they are made and that each change is recorded and verified. This way, that new network printer does not get blamed when the VPNs go down.




Cheers,
Dan Goldberg
MADJiC Consulting, Inc.
dan /@/ madjic /dot/ net
Dan

42 Posts
May 19th 2005

Sign Up for Free or Log In to start participating in the conversation!