[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Vulnerabilities in some SCADA server softwares



On 03/23/2011 03:01 PM, Jim Harrison wrote:
BTW, now that you know about it and there is no defined mitigation, what
exactly*will*  you do about it?

This seems rather obvious, but....

1. Ensure none of the affected SCADA systems are present on my work's network (BTW none are present on my home LAN). 2. Ensure that these systems, if they exist, are not accessible from either the Internet or even the local network where most of the users are.

(BTW those first two are a given as far as security 101 is concerned, the rest seem like common sense)

3. Use Luigi's advisories and POC to understand the nature of the vulnerabilities. 4. Write custom IDS/IPS signatures to detect said vulnerabilities (not the exploits, big difference). 5. *If* these systems must, for whatever stupid reason, be attached to the regular LAN with the regular users, the IDS/IPS signatures will disallow the malicious connectivity they detect. If I am really paranoid, or feel that I cannot construct an adequate mitigation strategy that allows access, then all access is disallowed until a patch is available. 6. *If* the systems are not accessible, but in the future they have to be, for whatever stupid reason, I have some sigs and some steps I can take.

Is that perfect? No of course not. Can I sell this plan to upper management? Sure. All of the "bad" info is public, remember? Can I now lean on the vendor and bitch about how vulnerable we are? Absolutely.

I have worked at large corporations, done full/limited/responsible disclosure professionally and as a hobby, and have worked for vendors who sold security solutions and who have had bugs in their products reported to them. There is no solution for bug disclosure, period. Someone somewhere will get pissed off, and no matter what the "rules" are someone will break them.

The disclosure method is irrelevant actually. One learns to adapt quickly to new information whether "good" or "bad", or dies standing around bitching about something that didn't go their way they can't control anyway.

-SN