[LINK] DNS outage?
Marghanita da Cruz
marghanita at ramin.com.au
Fri Jul 31 11:34:34 AEST 2009
Glen Turner wrote:
> On 29/07/09 09:32, Stilgherrian wrote:
>> But ICMP can certainly be used to map and profile a network. You can,
>> for example, find out what specific version of an operating system
>> some box is running by sending a few well-crafted packets. Once you
>> know that, you can then better plan your attack. Blocking most of ICMP
>> means you close off that possibility for reconnaissance.
> Sure, there's an argument for limiting ICMP to the average host.
> But limiting it from servers in the DMZ -- servers with names
> like www.example.edu.au -- is insane since attackers can find
> those hosts anyway with a simple DNS request.
>> If you're talking REALLY secure, it's not about stopping just the
>> known exploits, but reducing the potential for exploits through
>> unknown vulnerabilities. Allow ONLY the packets necessary to provide
>> the service and block everything else.
>> People who do infosec for a living may well shoot holes in what I just
>> said. Please, clarify.
> That's exactly the infosec argument. Which leads to smooth wall networks,
> which means that went it breaks the ISP can't help, which leads to the
> extended interruption that the infosec measures were designed to avoid.
> A lot of this is the ego of technical staff, not a rational business
> decision. The notion that the site is staffed by a bunch of heroes who
> don't need no stinkin' help from nobody, and our net, why it's so tight
> that not even a ICMP Ping can get into the DMZ.
> The other culprits are auditors. They are very uncomfortable with the
> risk trade-off approach, since that requires the auditor to understand
> the business *and* the technology *and* make a judgement that might be
> challenged down the track. They'd much rather be extremely litigation-
> adverse and simply demand extreme measures. A classic here being
> password policies -- the auditors lack enough guts to demand multi-factor
> authentication, but insist on tightening down the password policy
> to the extent that it becomes a significant denial of service risk
> in and of itself.
You have summed up reality succinctly. However, it is important to keep
in mind, as you have pointed out, that ultimately it is a business decision.
The few people who understand the business and the technology are hopefully
running the business. The auditors are just an additional check and has been
shown in the financial sector - where one would guess the uncertainty and risks
are easier to quantify have ultimately been of limited real value. Despite the
level of scrutiny SOX supposedly introduced in the US, we still had the GFC!
The success of business is generally dependent on the quality of the leadership,
of the organisation, which has to assess and balance the advice (and reliability
of the advice available to them) from many parties (market, techs, lawyers,
auditors, economic....) and identify and make appropriate decisions - which
contribute to the success, or otherwise, of the business.
In practice, this is far from a trivial task and involves much more than writing
or even reading audit reports.
This is what we tried to encapuslate in AS8015, and what I tried to show when
I commissioned the illustrations here:
and the one here, when I chaired the ACS Governance of ICT committee:
The next stage, I was keen to see was Project and Operations Governance of ICT
standards that would provide the link/elaborate between AS8015 and the audit
(COBIT) project, service and security management standards. However, getting the
appropriate forum and participants together to draft such documents is not a
occurrence or necessarily sustainable!
Some level of regulation that is useful/effective is also required. One would
expect that the Internet/DNS stuff should be covered Internet Security
ACMA or <http://www.dbcde.gov.au/> in work such as:
> The Australian Internet Security Initiative (AISI)
Marghanita da Cruz
Phone: (+61)0414 869202
More information about the Link