[LINK] DNS outage?

Crispin Harris crispin.harris at gmail.com
Fri Jul 31 12:41:17 AEST 2009


On Fri, Jul 31, 2009 at 9:34 AM, Marghanita da Cruz <marghanita at ramin.com.au
> wrote:

>  Glen Turner wrote:
> > On 29/07/09 09:32, Stilgherrian wrote:
> >
> >> But ICMP can certainly be used to map and profile a network. You can,
> >> for example, find out what specific version of an operating system
> >> some box is running by sending a few well-crafted packets. Once you
> >> know that, you can then better plan your attack. Blocking most of ICMP
> >> means you close off that possibility for reconnaissance.
> >
> > Sure, there's an argument for limiting ICMP to the average host.
> > But limiting it from servers in the DMZ -- servers with names
> > like www.example.edu.au -- is insane since attackers can find
> > those hosts anyway with a simple DNS request.
>

Surveilance is merely one of the MANY things that can be done with ICMP.
ICMP *is* afterall the Internet Control Messaging Protocol.

ICMP is about CONTROLLING traffic across the internet - and can be used for
ill, just as it can be used for good.


>  > That's exactly the infosec argument. Which leads to smooth wall
> networks,
> > which means that went it breaks the ISP can't help, which leads to the
> > extended interruption that the infosec measures were designed to avoid.
> >
> > A lot of this is the ego of technical staff, not a rational business
> > decision. The notion that the site is staffed by a bunch of heroes who
> > don't need no stinkin' help from nobody, and our net, why it's so tight
> > that not even a ICMP Ping can get into the DMZ.
>

Sigh - yes this DOES happen sometimes.
And *JUST* like any other environment, when it happens in IT the offenders
need to be disciplined.


>  > The other culprits are auditors. They are very uncomfortable with the
> > risk trade-off approach, since that requires the auditor to understand
> > the business *and* the technology *and* make a judgement that might be
> > challenged down the track. They'd much rather be extremely litigation-
> > adverse and simply demand extreme measures.  A classic here being
> > password policies -- the auditors lack enough guts to demand multi-factor
> > authentication, but insist on tightening down the password policy
> > to the extent that it becomes a significant denial of service risk
> > in and of itself.
>

A strange thing here - From my experience it is not usually the auditors who
are at fault here.
The majority of audit in IT/ICT is:
 - Comparison of practice with policy.
 - Comparison of practice/policy with Best practice

Now "Audit" (quotation marks VERY deliberate) which is merely tool-based
technical vulnerability assessment is a very different thing.
Unfortunately, many organisations that pretend to provide "IT Security
Audit" are doing the tool-based vulnerability assessment - and this is
neither comparing against best practice, nor comparing against company
security policy.



>  You have summed up reality succinctly. However, it  is important to keep
> in mind, as you have pointed out, that ultimately it is a business
> decision.
>

This is a critical point that many ICT "professionals" fail to properly
appreciate.

Security is made up of three pillars: Confidentiality, Integrity,
Availability.
This third item is VASTLY under appreciated.

Security is a business process, and is there to ensure that the business can
continue to process.
 - NEVER pay more for your protections than the asset is worth - but
remember to include the cost of disclosure & cleanup.


> Despite the
> level of scrutiny SOX supposedly introduced in the US, we still had the
> GFC!
>

Yes - you need to be controlling the right thing!

Regards,
   Crispin

-- 
Crispin Harris
crispin.harris at gmail.com
"Well, you know... most Catholics are so boring, you kind of expect them to
be fairly reasonable and not, say, frothing papal fanboys with the IQ of a
turnip. So he had me fooled. Not any more, though."
Thanks to Eric The FruitBat (etfb.livejournal.com)



More information about the Link mailing list