From: Omar A. Herrera (omar.herrera@oissg.org)
Date: Fri Sep 16 2005 - 00:31:05 EDT
> -----Original Message-----
> From: Javier Fernandez-Sanguino [mailto:jfernandez@germinus.com]
>
> cdewitt@indepthsec.com wrote:
>
> > What are the best practices for penetration testing the viability
> > of placing root kits on a client's external servers - vpn, web,
> > app...?
>
> If you did not write it yourself _and_ are confident that its impact
> in business critical systems is 0 don't do it.
This is golden rule indeed.
> > And, while I'm asking - what are the best practices or
> > countermeasures for root kit placement?
>
> Properly bastion hosts and severly limit the capabitilies of the users
> the services exposed to the Internet as running at (i.e. defense in
> depth, chroot jails, up-to-date patched systems, etc.) including
> host-IDS with (in Windows) updated antivirus (which will carry rootkit
> signatures too) or (in UNIX) rootkit detectors.
>
I just wanted to add some comments here. I'm not really sure if it is
considered a best practice, but it has been clear for some time that there
are much better controls that all anti-xxxxx ware. Security controls relying
on regular updates for detecting known malware or dangerous behavior are not
effective against new threats, particularly to specially developed (or
modified) malware to be used against specific targets.
Therefore, in my opinion, some host-IDS, chroot-jails and all controls
implementing some kind of "white list" are far more effective against these
threats.
I'm not saying that everyone should just throw away their antivirus.
Obviously, my mom will prefer to use an AV than trying to configure a
Personal Firewall that implements application execution white lists.
However, in the case of critical equipment of an organization big enough to
have its own security team, relying only on anti-xxxxs technology to counter
rootkits, Trojans and all custom made malware is definitely going to fail.
By the way, there is an article by Marcus Ranum called "The Six Dumbest
Ideas in Computer Security"
(http://www.ranum.com/security/computer_security/editorials/dumb/); it also
says something about this (ineffectiveness of blacklist security controls).
I don't fully support all the statements of Mr. Ranum. In fact, Pentesting
IS in the list :-). Pentesting is in some way "turd polishing" as he says,
but it was never meant to discover all possible vulnerabilities or to detect
problems at the most abstract levels of security architectures. Yet,
pentesting should be able to identify at least the most obvious exposures
caused by vulnerabilities (even the best designed system in terms of
security isn't free from vulnerabilities).
Kind regards,
Omar Herrera
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:55 EDT