RE: IDS and Spywares

["Justin Shore" <justin.shore () sktbcs com>]

There is an extremely easy solution to this problem.  Remove local administrative rights from users' PCs.  There is 
absolutely no reason whatsoever for a user in a corporate environment to have local admin rights if they aren't 
actually a sysadm.  In a home environment there is absolutely no reason for a user to be a local admin all the time.  
Remove this capability for the residential-grade OSs and make users utilize the Run As feature of XP and 2000.  Better 
yet make this process automatic like in OS X.  There is no reason in this day and age for users to need constant local 
admin access, if they need local admin access, period.

Justin

PS==> IIRC Network Magazine, Network Computing, or some other such magazine echoed this exact sentiment in the most 
recent issue when they tested a couple dozed xIDS implementations.  100% of their spyware compromises were directly 
caused by local admin access.


> -----Original Message-----
> From: Matt Jonkman [mailto:matt () infotex com]
> Sent: Thursday, October 13, 2005 10:08 AM
> To: Omar A. Herrera
> Cc: focus-ids () securityfocus com; 'vipul kumra'; dhruv_ymca () yahoo com;
> neelabhsharma1 () gmail com
> Subject: RE: IDS and Spywares
>
> I strongly disagree that IDS is not effective with spyware. I grant that
> hids is a good thing. But maybe I'm from the old school of thought, that
> you can't trust any system to police itself. That system is corruptable,
> and thus needs outside oversight. Security 101.
>
> That is exemplified by the number of worms that kill AV on their
> victims, or alter hosts files so they can't get new dats, etc. The
> victim sits there warm and fuzzy because they paid the 40 dollar
> Symantec tax, and they're blasting spam to the world, none the wiser.
> The code to do these things is easil available, and surely will be used
> by spyware once they feel a hit to their pocketbook. If there's money to
> be made they'll do it.
>
> Matt
>
>
>
>
> On Wed, 2005-10-12 at 22:52 +0100, Omar A. Herrera wrote:
> > > -----Original Message-----
> > > From: vipul kumra [mailto:vikumar2 () yahoo com]
> > >
> > > Hi Dhruv,
> > >
> > > I agree with what you have said... but then there is
> > > no 100% fool proof method for detecting anything. As
> > > far as I've seen iPolicy Networks IDS protection is
> > > quite strong... :)
> >
> > Why use a hammer with a screw? Network based detection is able to deal
> > pretty well with known network threats, but some sort of malware
> (including
> > some Trojans and spyware) are customized or modified and used with
> specific
> > targets. You won't detect those with generic signatures or network based
> > anomaly behavior.
> >
> > hIDS/hIPS ar much more effective in detecting and preventing these
> attacks.
> > If there is any anomalous activity to be detected or any forbidden
> action to
> > be blocked, it will be host based, not network based. To start, there is
> a
> > considerable number of ways that these threats can travel through the
> > network (e.g. web scripts, P2P messaging, email attachments, trojanized
> > downloaded software)and they might not even used the network to get to
> their
> > target (Sharing of USB memory sticks, CDs, DVDs,...)
> >
> > Personally I doubt that it is even worth trying to catch this kind of
> > malware with a network based IDS or IPS. I would rather use the time for
> > polishing hIPS/personal firewall policies.
> >
> > I think this is what Dhruv meant.
> >
> > Regards,
> >
> > Omar Herrera
> >
> >
> > ------------------------------------------------------------------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it
> > with real-world attacks from CORE IMPACT.
> > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > to learn more.
> > ------------------------------------------------------------------------
> --
> --------------------------------------------
> Matthew Jonkman, CISSP
> Senior Security Engineer
> Infotex
> 765-429-0398 Direct Anytime
> 765-448-6847 Office
> 866-679-5177 24x7 NOC
> my.infotex.com
> www.offsitefilter.com
> www.bleedingsnort.com
> --------------------------------------------
>
>
> NOTICE: The information contained in this email is confidential
> and intended solely for the intended recipient. Any use,
> distribution, transmittal or retransmittal of information
> contained in this email by persons who are not intended
> recipients may be a violation of law and is strictly prohibited.
> If you are not the intended recipient, please contact the sender
> and delete all copies.
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.344 / Virus Database: 267.12.0/134 - Release Date: 10/14/2005

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.12.1/136 - Release Date: 10/15/2005
 

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------