Learning from our mistakes

Rant, Security, Security Tips

One of my favorite quotes is; “Those who cannot learn from history are doomed to repeat it.”

90% of the malware floating around the internet today is regurgitated, canned attacks with only slight variations. So if we learn from history we’ll know that;

  1. Windows RPC will be a target of self-propogating malware for the foreseeable future. It’s the core of Windows networking and is required on any machine participating in Active Directory. However, there is no reason for it to be accessible by any host outside the trusted network, nor is there any reason for any host on the trusted network to access it outside the trusted network. Therefore your firewall rules should block Windows RPC (TCP/445, TCP/135-139, UDP/135-139) in both directions.
  2. Users are going to open unsolicited attachments. It’s best to drop dangerous attachments (filtering on file extension) at the email server so they can’t get their grimy hands on them. Granted this isn’t foolproof but its better than doing nothing.
  3. IRC rarely increases users’ production and in most shops isn’t needed to perform any job duties (unless your job is to sit idle watching on-join messages all day. IRC sucks anymore!!). Not to mention that IRC is often used for C&C of botnets. Block the default IRC ports at your firewall (tcp:6661-7000) and if you have an IPS, block the “/join” and “/nick” commands.
  4. P2P networks are rife with junk. They represent routes into your network for all kinds of malware and 9 times out of 10 are used for illegal activities. And guess what Mr. Coolguy, the price for your MP3 jukebox could be your job because the RIAA and MPAA have made a point of making examples of those who share the MP3’s. But hey, all your office-mates ex office-mates will still think you’re cool.
  5. Patch management works and can be very cheap. You can have a very successful patch management solution for zero dollars in capital expenditure (Microsoft’s WSUS). All you need to do is spend the time (equates to an operational cost) ensuring all hosts are receiving their updates in a timely manner. Now I know I’ve bitched plenty about not depending solely on patches as a means of securing your network but that doesn’t mean you can disregard patches altogether.

My point is this; it seems obvious to me that for whatever reason, many people simply don’t learn. Don’t be one of those people.

posted by Michael on 12.28.06 @ 5:00 pm |

[...] As I’ve said in the past, RPC will be a target for the foreseeable future. RPC is essential to Windows’ networking and thus essential to protect. If you have hosts exposed to the public Internet, they should NOT have RPC exposed. Hosts on your protected LAN should also be protected as much as possible. As I said yesterday, protect your core assets with defensive VLAN ACLs, firewalls and other choke-points so that you can control who talks to your servers and how. It’s a lot of work but in the long run you won’t suffer as much from zero days like this one. [...]

By mcwresearch.com » Windows DNS/RPC Vulnerability on 04.14.07 8:18 am

RSS feed for comments on this post. TrackBack URI