Security UPDATE, May 8, 2002

Windows & .NET Magazine Security UPDATE—brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems.
http://www.secadministrator.com


THIS ISSUE SPONSORED BY

Reliable Patch Management
http://www.stbernard.com/products/targetpages/win2kN-ue.asp

Connected Home Magazine Virtual Tour
http://www.connectedhomemag.com/virtualtour
(below IN FOCUS)


SPONSOR: RELIABLE PATCH MANAGEMENT

IT Managers scanning systems for security hotfixes and patches are left wondering whether the systems they thought were safely patched are actually vulnerable. UpdateEXPERT(tm) solves this patch management and deployment dilemma. It is the only remediation tool that uses a research database from third party test results and analytical information to make deployment reliable. Research available fixes, scan workstations and servers, deploy updates without remote agents and validate the job, all in a single tool.
FREE Live Trial:
http://www.stbernard.com/products/targetpages/win2kN-ue.asp


May 8, 2002—In this issue:

1. IN FOCUS

  • Intrusion Cleanup: What's the Cost?

2. SECURITY RISKS

  • Multiple Vulnerabilities in BEA WebLogic
  • DoS in ISS's RealSecure Network Sensor

3. ANNOUNCEMENTS

  • Cast Your Vote for Our Readers' Choice Awards!
  • Mobile and Wireless Solutions—An Online Resource for a New Era

4. SECURITY ROUNDUP

  • News: ISS Teams with Network Associates
  • News: Gartner Says Most Attacks Will Exploit Known Flaws
  • News: Word Patch Fixes Outlook Email Vulnerability
  • News: Security Bug Fixes

5. SECURITY TOOLKIT

  • Virus Center
  • FAQ: What Is Windows Update Corporate Edition?

6. NEW AND IMPROVED

  • Defend Against Intruders and Malicious Code
  • Secure Enterprise Servers with Free Bet

7. HOT THREADS

  • Windows & .NET Magazine Online Forums
        Featured Thread: Screen Saver Passwords
  • HowTo Mailing List
        Featured Thread: Security Policy Disciplinary Measures

8. CONTACT US

  • See this section for a list of ways to contact us.

IN FOCUS
(contributed by Mark Joseph Edwards, News Editor, [email protected])

  • INTRUSION CLEANUP: WHAT'S THE COST?

  • Has your network ever suffered intrusion or misuse? If not, you're among the fortunate few. If so, the cause might have been a virus, worm, or Trojan horse; a workstation, server, or router breach; or an employee misusing company services and bandwidth. In any case, have you ever calculated the cost to clean up such messes and return everything to its prior state? Although you might find calculating such losses tedious, you can find ways to reach a fairly accurate figure.

    Dave Dittrich's online FAQ "Estimating the cost of damages due to a security incident" (see the first URL below) can help you think of the factors to consider and the costs to associate with each factor in the clean-up process. Dittrich notes that proposed Senate Bill S.2448, "The Internet Integrity and Critical Infrastructure Protection Act of 2000" (introduced in the 106th Congress, see the second URL below), defines how organizations can calculate loss. According to Senate Bill S.2448, "The term 'loss' means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service."
    http://staff.washington.edu/dittrich/misc/faqs/incidentcosts.faq
    http://www.senate.gov/search/index.html

    According to Dittrich's interpretation of the bill's definition, tallied costs should include all staff time spent cleaning up damage; lost productivity time, including that of users (who lacked working systems) and business partners (who were denied service during this period); lost time in terms of e-commerce revenue; and the price of replacing hardware, software, and other damaged or stolen property. The loss calculation shouldn't include precautionary measures put in place to prevent similar attacks in the future. You should consider such measures part of ordinary systems administration.

    Dittrich also cites the Incident Cost Analysis & Modeling Project (ICAMP—see the URL below) that the Committee on Institutional Cooperation (CIC) and the University of Chicago conducted. ICAMP figures the basic monetary loss relative to affected users by calculating an hourly wage (dividing an annual salary by 52 weeks, then by 40 hours) and multiplying that wage by hours of work lost. As you'll see, the ICAMP materials calculate additional costs as well.
    http://www.cic.uiuc.edu/groups/cic/listicampreports.shtml

    Dittrich's FAQ is short, to the point, and a good place to start to learn how to calculate security-related losses. The FAQ includes a sample Microsoft's Excel spreadsheet that you can use as a model to help build a loss-calculation tool for your enterprise.

    For more information, read CIO Magazine's February 15, 2002, article "Finally, A Real Return on Security Spending" (see the first URL below), which discusses an approach to calculating Return on Investment (ROI) for Intrusion Detection Systems (IDSs). The February 15 article references another article's sidebar, "Calculating Return on Security Investment" (see the second URL below). The sidebar presents a relatively simple formula for the ROI calculation: (R - E) + T = ALE, in which R is the cost per year to recover from intrusions, E is the dollar savings gained by preventing intrusions, and T is the cost of an intrusion-detection tool. The result is your Annual Loss Expectancy (ALE). To calculate Return on Security Investment (ROSI), subtract your ALE from the annual cost of intrusion.
    http://www.cio.com/archive/021502/security.html http://www.cio.com/archive/021502/security_sidebar_content.html

    Many of you have trouble getting your managers to approve budgets for security-related tools. You need clear ways to demonstrate the value of security-related measures and tools. You'll find calculating actual losses from intrusion or misuse a great way to justify a more adequate security budget, especially for preventive measures.


    SPONSOR: CONNECTED HOME MAGAZINE VIRTUAL TOUR

    THE CONNECTED HOME VIRTUAL TOUR IS BACK AND BETTER THAN EVER!
    If you think you've already seen the Connected Home Magazine Virtual Tour, think again. Browse through the latest home entertainment, home networking, and home automation options and check out our special feature on wiring your home. Sign up for our prize drawings, too, and you might win a free cinema card courtesy of VisionTek and NVIDIA. Take the tour today!
    http://www.connectedhomemag.com/virtualtour


    2. SECURITY RISKS
    (contributed by Ken Pfeil, [email protected])

  • MULTIPLE VULNERABILITIES IN BEA WEBLOGIC

  • Multiple vulnerabilities exist in BEA Systems' BEA WebLogic 6.1 for Windows 2000 Service Pack 2 (SP2). A problem with the URL parser in BEA WebLogic could let an attacker reveal the physical path to the Web root, cause a Denial of Service (DoS) attack, or reveal the source code of .jsp files.

    By appending %00.jsp to a normal HTML request, an attacker can in some cases generate a compiler error that prints out the path to the physical Web root.

    By requesting a DOS device and appending .jsp to the request, an attacker can exhaust working threads, which will cause the Web service to stop parsing HTTP and HTTP over Secure Sockets Layer (HTTPS) requests.

    An attacker can use several methods to manipulate the URL in a way that will let the attacker read the contents of a .jsp file. For example, a malicious user can append %00x or "+." (exclamation marks excluded) to a request for a .jsp file and read the contents of the .jsp file. BEA has released a patch that resolves these vulnerabilities.

    http://www.secadministrator.com/articles/index.cfm?articleid=25069

  • DoS IN ISS'S REALSECURE NETWORK SENSOR

  • A Denial of Service (DoS) condition exists in Internet Security Systems' (ISS's) RealSecure Network Sensor. Specifically, a vulnerability in the three informational signatures associated with DHCP can result in a segmentation fault or exception error. An attacker can exploit this vulnerability by sending specially crafted DHCP traffic, causing the sensor to malfunction or crash. ISS has issued X-Press Update 4.3, which contains a fix for this vulnerability.
    http://www.secadministrator.com/articles/index.cfm?articleid=25070

    3. ANNOUNCEMENTS

  • CAST YOUR VOTE FOR OUR READERS' CHOICE AWARDS!

  • Which companies and products do you think are the best on the market? Nominate your favorites in four different categories for our annual Windows & .NET Magazine Readers' Choice Awards. You could win a T-shirt or a free Windows & .NET Magazine Super CD, just for submitting your ballot. Click here!
    http://www.winnetmag.com/readerschoice

  • MOBILE AND WIRELESS SOLUTIONS—AN ONLINE RESOURCE FOR A NEW ERA

  • Our mobile and wireless computing site has it all—articles, product reviews, and other resources to help you support a wireless network and mobile users. Check it out today!
    http://www.mobile-and-wireless.com

    4. SECURITY ROUNDUP

  • NEWS: ISS TEAMS WITH NETWORK ASSOCIATES

  • Internet Security Systems (ISS) and Network Associates have announced an alliance to deliver integrated security products and services. Network Associates will combine its fault isolation and performance management software, Sniffer Technologies, with ISS's intrusion-detection software, RealSecure. ISS said it will combine Network Associates' McAfee antivirus software with RealSecure and also offer customers managed security services.
    http://www.secadministrator.com/articles/index.cfm?articleid=25088

  • NEWS: GARTNER SAYS MOST ATTACKS WILL EXPLOIT KNOWN FLAWS

  • Speaking at the Gartner Symposium/ITxpo in San Diego, Gartner analysts predicted that by 2005, up to 90 percent of attacks will exploit known security vulnerabilities for which patches and workarounds are available but not applied. Gartner said that enterprises don't do enough to prepare for network intrusion.
    http://www.secadministrator.com/articles/index.cfm?articleid=25089

  • NEWS: WORD PATCH FIXES OUTLOOK EMAIL VULNERABILITY

  • Microsoft recommends that Outlook users who use Microsoft Word as their email editor—a configuration known as WordMail—install a new patch for Word. The update fixes a vulnerability that could let harmful scripts run if the user replies to or forwards an HTML message. Microsoft Office XP Service Pack 1 (SP1) or Office 2000 Service Release 1/1a (SR1/1a) is a prerequisite.
    http://www.microsoft.com/technet/security/bulletin/ms02-021.asp

  • FEATURE: SECURITY BUG FIXES

  • The security subsystem correctly records account lockout events when a user reaches the bad password threshold while logging on with a domain account; however, a bug in the audit code prevents the system from recording the account lockout when a user reaches the bad password threshold while logging on with a local workstation or server account.

    The Windows 2000 Post-Service Pack 2 (SP2) file system driver has a bug that might cause ntfs.sys to crash with a stop code of 0x00000003. The blue screen occurs when the file system driver attempts to release the same resource twice.

    When a system has a bad print driver, you might see several different error messages when you try to print a file or document. To recover from this error, you need to delete the printer, delete the print-driver file, and clean up printing subsystem registry entries. Learn more about these problems in Paula Sharick's article on our Web site.
    http://www.secadministrator.com/articles/index.cfm?articleid=25033

    5. SECURITY TOOLKIT

  • VIRUS CENTER

  • Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
    http://www.secadministrator.com/panda

  • FAQ: WHAT IS WINDOWS UPDATE CORPORATE EDITION?

  • (contributed by John Savill, http://www.windows2000faq.com)
    A. Windows Update Corporate Edition, which Microsoft plans to release in second quarter 2002, will let administrators host their own version of the Windows Update Web site on a local intranet. Windows Update Corporate Edition will, at scheduled intervals, pull the latest fixes from the public Windows Update Web site. A client component will let administrators check the intranet-based Windows Update site and use Group Policy settings to automatically download updates to clients.

    The Windows Update Corporate Edition will help companies preserve bandwidth that they now use to repeatedly download the same fixes and will offer greater control over which updates users can install. For more information, visit the Microsoft Web site.
    http://www.microsoft.com/technet/ittasks/support/corpwu.asp

    6. NEW AND IMPROVED
    (contributed by Judy Drennen, [email protected])

  • DEFEND AGAINST INTRUDERS AND MALICIOUS CODE

  • Network Associates released McAfee Desktop Firewall 7.5, software that inspects inbound and outbound traffic and allows or blocks connections, stops malicious code, detects unauthorized intrusions and application connections, records the event, and alerts the administrator. Desktop Firewall 7.5 also protects remote and broadband users. Desktop Firewall 7.5 runs on Windows XP, Windows 2000, Windows NT, Windows Me, and Windows 9x. For pricing, contact Network Associates at 972-308-9960 or 888-847-8766.
    http://www.mcafeeb2b.com/products/desktop-protection.asp

  • SECURE ENTERPRISE SERVERS WITH FREE BETA

  • Turillion Software Technologies released the eServer Secure Manager beta, software designed to help the enterprise manage 100 or more eServer Secure-protected servers from a single console. Turillion's eServer Secure Manager beta software is available now for free to qualified beta testers from Turillion's private beta Web site at http://www.turillion.com/beta. For more information, contact Turillion at 800-604-3228.
    http://www.turillion.com

    7. HOT THREADS

  • WINDOWS & .NET MAGAZINE ONLINE FORUMS

  • http://www.winnetmag.net/forums

    Featured Thread: Screen Saver Passwords
    (Three messages in this thread)

    Claus wants to know how he can ensure that all network users (on systems including Windows 2000, Windows NT, and Windows 98) use password-protected screen savers.
    http://www.secadministrator.com/forums/thread.cfm?cfapp=64&thread_id=103120#message268910

  • HOWTO MAILING LIST

  • http://www.secadministrator.com/listserv/page_listserv.asp?s=howto

    Featured Thread: Security Policy Disciplinary Measures
    (One message in this thread)

    Paul is developing a security policy and wants to include information about disciplinary measures that will apply to users who violate policies (the measures taken would depend upon the associated impact). He's looking for documentation or Web sites that offer generic information about such disciplinary measures. Can you help? Read the responses or lend a hand at the following URL:
    http://63.88.172.96/listserv/page_listserv.asp?A2=ind0205a&l=howto&p=1230

    8. CONTACT US
    Here's how to reach us with your comments and questions:

    (please mention the newsletter name in the subject line)

    This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!
    http://www.secadministrator.com/sub.cfm?code=saei25xxup

    Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
    http://www.winnetmag.net/email

    TAGS: Security
    Hide comments

    Comments

    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.
    Publish