[Dailydave] "The organization I belong to doesn't have initals"(that evil dude in Heroes)

[Siim Põder]

Yo!

Daniel wrote:
> David: your IIS 6.0 is vulnerable to a unpublished, unknown  
> vulnerability
> CSO: So what do we do David??
> David: secure your network
> CSO: How?
> David: ????
> CSO: Microsoft has no patch for this, they cannot help. I've paid you  
> to do an assessment, what is the risk of the vulnerability versus the  
> loss of business if I have to shut down our front-end trading system

That's the whole point of this discussion - imho - and it seems to me
you're not getting it (or it might be that I'm not getting it).

There is stuff you can (and should) do beyond patching known holes. You
never know wether there are unknown vulnerabilities in some part of your
system - so you could run your httpd in chroot, stripping it's
privileges to the minimum and monitoring what it does. Then you could
isolate it on the network and firewall connections to and from it.

There's propably bunch of other stuff any web server administrator would
do if he needed to reduce the risks of being exploited.


In the end the damage of the 0day is minimized - it might be full pwnage
of the whole network on one location, but a stripped down local shell
that gets the attacker blacklisted if abused on another location (and
that's the answer you should give to the CSO).

How far to go with it should be a business decision - if anyone could
effectively calculate the likelyhood of all that shit actually hitting
any fans and the amount of shit sprayed around by it (if that was the
question you were raising, then accept this "oops" from me).

Siim Põder