Re: [was] Blended threats

[Jeremy Poteet <jeremy@poteet.com>]

On 7/17/03 1:35 PM, "Nasseam Elkarra" <nelkarra@opensec.org> wrote:

> It is more than a buffer overflow as someone mentioned in the call and
> can fit into more than one category. However, blended threats usually
> have an entry point. In this case, the buffer overflow provided CodeRed
> the necessary privileges to perform the latter attacks. In scenarios
> like this, we can try to classify the threat in multiple categories or
> simply focus on the entry attack.

I think this idea of whether we focus on only the entry attack or not is an
important issue.  For example a SQL Injection attack can be used to launch
all sorts of other attacks.

In some cases  these additional attacks are worth noting.  You may be able
to modify the schema, execute OS commands, read files, etc. depending on the
database in use, how the SQL being injected into is formed, and various
configuration settings.  In these cases, I would like to know not only about
the area that is vulnerable to SQL Injection, but also the configuration
settings I need to lock down to prevent the subsequent attacks.  Basically,
I'd like to be able to report on "defense in depth" issues.

In other cases, we are only dealing with subtle differences in the payload
of the attack.  I may be able to accomplish a variety of things, depending
on my intent, but the resolution would be the same in all cases.  In this
situation, it may not be important to itemize each and every scenario.

I feel that if we begin to decide where the line should be drawn, this will
help later in the process to keep focus on how far to take particular
scenarios.

Jeremy Poteet, CISSP
Chief Technology Officer
Technology Partners, Inc.
1-877-636-1331 x105 (toll free)
636-519-1221 x105
http://www.tech-partners.com