Saturday, October 06, 2007

Intruders Continue to Be Unpredictable

One of my three basic security principles is advanced intruders are unpredictable. Believing you can predict what intruders are going to do next results in soccer-goal security. As I said in Pescatore on Security Trends, advanced attackers are digital innovators. I think I will start calling advanced intruders intrupreneurs.

I just read and watched great examples of this principle in action courtesy of pdp at CITRIX: Owning cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Legitimate Backdoor. I recommend reading cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 post and watching cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two videos. If you are practicing Network Security Monitoring I recommend querying your session data for all incoming Citrix traffic, for as far back as you have stored, for unusual or unexpected activity. If you are not practicing NSM already I suggest beginning emergency NSM to watch your Citrix servers.

It's important to realize that you may not even know you have certain Citrix servers active on your network. The flip side of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intruders are unpredictable principle is that your network is probably unpredictable too! In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, you could be happy thinking "we have no Citrix servers," but after looking via NSM you find you do. It's probable a bad guy found cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m before you did, but courtesy of NSM you have data about what happened. More often than not, that's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best you can do with your time and resources.

3 comments:

Marcin Antkiewicz said...

I would love to see a realistic comparison of a cost of project to roll out, and maintain, vpn-only access to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 corporate network vs. cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 estimated cost of handling a citrix server compromise.

On cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r hand, given cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 amount of hand waving visible in any discussion on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "cost of compromise" or "our _threat_ model", I do not think that that is feasible. It's a shame, and a nasty reminder of how immature is current corporate ITSec practice.

Tomas said...

I found cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following at Citrix Systems Inc.'s web page:

Citrix’s passion is to simplify information access for everyone. As cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only enterprise software company 100% focused on access, this is also our unique passion.

... Higher Productivity—Users need access to be invisible. They want easy, on-demand access from wherever cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are, using any device and network.


So Citrix wants to simplify information access for everyone and make it invisible.

Anonymous said...

Most network intruders are not stupid. It takes a great deal of skill to circumvent network boundary defenses. Sure, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are script kiddies and automated bots, but when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network defenses are complex, so too are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intruders.