I just read a fantastic post by David Chris Hoff on his Rational Security blog, where he discusses the ongoing debate about where the focus of security should be; the network or the host.

Its a great read and only slightly long but with good reason. He’s packed in a lot of good points that seem well founded and well thought out.

Currently we’re focusing on both; we’re bringing IPS and UTM units online to harden the network and we’re bringing HIPS and GPO controls online to harden the hosts. After-all, its a great debate about which will dominate the art in the future; host-based or network-based security. However, in the here-and-now neither have gelled into anything significantly tangible that preclude the other. So while you research and debate it, my advice is to sprinkle a bit of both disciplines into your security infrastructure.

One of my favorite buzz-terms in his article; extrusion prevention. I’ve been harping this since, well, since I started blogging about security and its something I firmly believe in. Containing your network is just as important as keeping the bad guys out of it. For one reason, you’ll likely stop a lot of escalation techniques, such as phoning home and awaiting commands using a C&C channel. You’ll also reduce upstream liability from your hosts trying to compromise other hosts.

I also recommend you shoot over and read the Ten Commandments of the Jericho Forum after you’ve read Hoff’s piece.

All good stuff!

A few days ago, my HIPS software blue-screened three separate machines after an update. Fearing a problem with the HIPS software, I disabled it on all three machines while I troubleshot them.

Today while looking through my HIPS log like a good sec analyst, I see an interesting event logged on one of the hosts. The file c:\windows\system32\wbem\unsecapp32.exe (MD5: 60f8ea044b96b7ae8c1a55571d7e2c70) tried to contact 211.22.66.246 on port 7654. Google searching for the file name produced little help beyond this (the fact that AhnLab’s AV engine didn’t detect this one leads me to believe it’s a relatively new variant) (more…)

Bejtlich over at Tao Security has a good post today about making the bad guys fight your fight, or as he puts it, fight your strengths.

At the end he asks how others force the fight, so I figure I’ll chime in. (more…)

Just wanted to point everyone to this post that details how to disable the vulnerable RPC service on your DNS servers and domain controllers.

As I’ve said in the past, RPC will be a target for the foreseeable future. RPC is essential to Windows’ networking and thus essential to protect. If you have hosts exposed to the public Internet, they should NOT have RPC exposed. Hosts on your protected LAN should also be protected as much as possible. As I said yesterday, protect your core assets with defensive VLAN ACLs, firewalls and other choke-points so that you can control who talks to your servers and how. It’s a lot of work but in the long run you won’t suffer as much from zero days like this one.

Yesterday I blogged about how useful IPS tech is and today I’m going to blog about how it isn’t enough. How’s that for being conflicted!

Microsoft is warning folks of a DNS Vulnerability with a twist; port 53 isn’t vulnerable. The attack vector is RPC, which according to Erratasec puts a kink in IPS inspection. (more…)