TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Copyright 2001 Internet Security Systems (trademark) THE POWER TO PROTECT INTERNET THREAT & SOLUTIONS UPDATE for Oct 9th - Oct 11th, 2001 ISS X-Force Special Operations Group - -------------------------------------- CURRENT THREAT ASSESSMENT & THREAT FORECAST - -------------------------------------- AlertCon 2 Today, Oct 9th, 2001 AlertCon 1 For Oct 10th-11th, 2001 This Week's Focus: Bulletproofing your networks ************* - - We are holding at AlertCon 2 for one more day to highlight the need for increased vigilance for cyber attacks in the wake of the coalition bombing of terrorist targets in Afghanistan. - - We continue to see no evidence to date of a cyber-component to the physical terrorist campaign against the USA. We are monitoring the situation closely and anticipate reducing to AlertCon 1 tomorrow if we continue to see no indications of any new, focused threats. - -------------------------------------- Security Focus This Week - Bulletproofing your networks - -------------------------------------- - - Bulletproof vests are not really bulletproof, but they are bullet resistant. That's what we hope to help you achieve on your network - increase your resistance to the most common forms of attack. With some anticipated cyber fallout from our war on terrorism, now is a good time to get your bulletproofing campaign started. - - Because there's no way to completely secure your network without turning it off, this week we'll offer a number of practical solutions for most of the threats your network faces. We will also look ways to address the business continuity issues facing your networks and data centers. - - Thanks to David Berlind of ZDNet for the "bulletproofing" analogy. <http://techupdate.zdnet.com/techupdate/filters/rcplus/0,14178,6021509,0 0.html> - - Today we'll look at detection solutions. Tomorrow we'll explore appropriate responses to the things we detect. It's necessary to have some sort of in-house or outsourced response capability because your alarm detections will be staggering (welcome to the Internet) and you will want to do something about them. - - On Thursday we'll talk about some ways to improve the security of that biospace between the chair and the keyboard, and on Friday we'll wrap it all up. - --------------------------------------- SOLUTIONS - --------------------------------------- - - Your choices for detection are either manual (sharp admin notices something wrong, investigates . . . .) or using some sort of device. While the admin will always do trouble shooting, volume dictates some sort of intrusion detection sensor. These can be placed anywhere but are most commonly deployed as network, host, and client detection devices. - - Every network needs a perimeter defense consisting of a firewall and its IDS partner but the question of IDS placement is a common one. We recommend the best default placement for the network IDS is at the most external choke point inside the firewall. When you place an IDS outside the firewall up against the Internet cloud, you are essentially counting the flies outside the kitchen window. There are times when you want to know the gross threat assembled against you but this placement should only be done if you also have an IDS inside the firewall (or access controlling router). This way you get a count on how many flies are getting into the kitchen. You can then use that information to adjust your firewall or ACL to decrease these security incidents. - - Moving inward, your critical servers should be identified and an IDS installed to watch for potentially harmful activity against them. Your web servers, file servers, database servers, DNS, ftp servers, etc are all likely candidates for an intrusion detection device, particularly those that can be set to kill unwanted packets when they arrive. This way you get protection and a headcount of the bullets bouncing off your shields. - - At the client level, personal firewalls that include an alarm are a good idea on your desktops and laptop computers to provide both defense and evidence of threat activity deep inside your network cloud. This is a particularly important feature for laptop computers that are used both at work and at home or on the road. When using a hotel's dial-up modem or high-speed connection your computer loses the protection of the corporate LAN's defenses and is up against the Internet threat full force. This is because ISPs as a general rule do not provide much in the way of security features with their bandwidth. Same thing happens at home, especially if there is a cable modem or DSL connection. It's a fact of life these days that high speed is high risk. Those of you who have installed, for example, Black Ice Defender <http://www.netice.com/products/soho_solutions.html> have seen the amount of attacks you experience every session and have had the satisfaction of being able to select "block this intruder forever". Installing this level of protection on your home-office computer is a real eye opener and well worth the very small cost. - ------------------------------------- Attack Signatures - global IDS, midnight - midnight, previous day, % of total - ------------------------------------- Unauth Access Attempts 29.98% Protocol Decode 29.07% Denial Of Service 27.98% Suspicious Activity 06.86% Pre-Attack Probe 06.10% Back Doors 00.02% - ------------------------------------- Top Ten Destination Ports - global IDS, midnight - midnight, previous day, % of top ten (ports found at <http://www.iana.org/assignments/port-numbers> - ------------------------------------- 80 (http) 86.18% 25 (smtp) 04.96% 21 (ftp) 04.63% 139 (netbios-ss) 00.94% 143 (imap) 00.65% 12754 (unassigned) 00.63% 15104 (unassigned) 00.60% 443 (https) 00.56% 123 (ntp) 00.47% 69 (tftp) 00.38% - --------------------------------------- VIRUS, VULNERABILITY, NEWS UPDATES - --------------------------------------- - - Visit <http://www.iss.net> under 'Global Internet Threat Intelligence Service' - - According to Sophos <http://www.sophos.com/virusinfo/topten/> the top ten viruses in September were: 1. Nimda-A 71.2% 2. Sircam-A 11.4% 3. Magistr-A 03.7% 4. Magistr-B 03.0% 5. Hybris-B 01.5% 6. Apology-B 00.7% 7. VBS/Kakworm 00.7% 8. Floss 00.7% 9. Bymer-A 00.5% 10. Badtrans-A 00.4% - --------------------------------------- Defacement Watch - --------------------------------------- - - Alldas.de stats show that since April, 2000, the most defaced OS is Windows, with a total of 15,164 defacements reported, for 65% of the total. Linux is a distant second with 3868 defacements for 17% of the total. - - Alldas reports 55 sites defaced yesterday. Details can be seen at <http://www.alldas.de> under 'current month'. - - A check of yesterday's defacements shows less political content than at any time since 9/11 and the defaced sites continue to be weak targets of opportunity with no apparent relationship to the defacement messages. - --------------------------------------- NOTES, COPYRIGHT NOTICE, and DISCLAIMER - --------------------------------------- NOTE 1: Our web site has this information in more attractive format and graphics available to the public at no cost at www.iss.net <http://www.iss.net> under 'Global Internet Threat Intelligence Service'. Screen captures (Control/PrtSc) of the site's pages dropped into PowerPoint can be an effective way to communicate various aspects of the Internet threat, e.g. the graph depicting 'AlertCon Trends'. NOTE 2: We provide this information on Internet threat metrics, viruses, vulnerabilities, patches, and breaking news, in the spirit of PDD 63, to help security professionals wage the war against Internet threats more effectively. Information in this update derived primarily from global, real time, 24 x 7 IDS feeds, ISS X-Force R&D Team research, and professional liaison. Other sources as noted. AlertCon 1 reflects the global, malicious, determined, 24 x 7 attacks experienced by all networks. AlertCon 2 means increased vigilance/action recommended due to a specific threat or concern. AlertCon 3 means increased attacks against specific targets or vulnerabilities on a scale that is unusually high, action required. AlertCon 4 reflects an Internet emergency for a target or group of targets whose business continuity may depend on some sort of immediate, decisive action. All summaries cover 24 hours the previous workday, GMT. Monday summaries may cover some weekend activity. Copyright 2001 Internet Security Systems, Inc. Permission is granted for the redistribution of the Internet Threat Update electronically. It is not to be sold or edited in any way without express consent of ISS. Refer comments or questions to [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Disclaimer: This information is subject to change without notice. Use of this information constitutes acceptance for use in an 'as is' condition. There are no warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. No other use authorized. FOIA Exemption 4. Dennis Dennis Treece Director, Global MSS Special Operations Group Internet Security Systems (ISS) 6303 Barfield Road Atlanta, Georgia 30328 404-236-4065 Cell 404-667-9345 Fax 404-236-2626 Internet Security Systems -- The Power to Protect Confidentiality Notice: This message is being sent by or on behalf of a network security professional. It is intended exclusively for the individual to whom it is addressed. This communication may contain information that is proprietary, privileged or confidential. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5 iQA/AwUBO8MfA+OOe/7N9KJeEQKA+ACgscHH9egLZbf2dtQjXO9j2HnKCiwAoPDM Dd/rpOOqGBCI66mEi+q4eqDC =wGyF -----END PGP SIGNATURE-----
