[nsp-sec] Questions about Prevention, Detection and Education surrounding the ASP SQL injections
Zot O'Connor
zoto at microsoft.com
Wed May 28 19:15:50 EDT 2008
We've gotten a few responses, and they are helping target documents. Of course I want many more ;) And some folks have asked, I will keep any and all information shared confidential. I prefer having sanitized data to share with folk, but even compiling responses is very helpful.
We have recently gotten some info, which we think is wrong, that the SQL attacks are putting malware on the attacked system (vs. inserting IFRAMEs in the DB to another server, which may or may not be attacked). Has any seen this?
Thanks!
Zot O'Connor
MSRC Ecosystem Strategy Team
Partner Outreach
(425) 722-7575
-----Original Message-----
From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Zot O'Connor
Sent: Wednesday, May 28, 2008 12:08 AM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] Questions about Prevention, Detection and Education surrounding the ASP SQL injections
----------- nsp-security Confidential --------
Howdy!
We are currently working on providing guidance to customers who are dealing with the SQL injections that are attacking ASP pages.
As you are probably already aware, the injections do not attack via a vulnerability, but attack via weaknesses in configurations and software running on the servers.
We are trying to compile a list of suggestions, ideas, tools, and experiences for dealing with the SQL injections.
If you could please take a few moments and answer the following questions, it would greatly help us, and our mutual customers. Even if you have not dealt with the attacks, if you have prior experience or thoughts on this, it could greatly assist us.
The following outline reflects our thoughts. We are looking for ideas on Detection, Prevention, Education, and future requests.
1. Detection
a. Have you detected attacks?
i. Was the attack successful?
ii. What was the impact?
iii. What was the cause of the weakness?
1. Was is home grown configurations or software?
2. Was it part of a package or SOP?
b. How are you doing detections?
i. Are you watching logs?
ii. Are you monitoring your web sites?
iii. Are you using search engines?
iv. Are you looking at incoming or outgoing requests?
c. Did you have packet traces or logs you can share?
d. Tools
i. Which tools are effective?
ii. Which are ineffective (that you might think would have worked).
2. Prevention
a. Have you deployed defenses for the attacks?
i. Are you using any tools?
1. Filters
2. Firewalls/IPS
3. Host based programs
4. Do you scan for weak systems?
5. Do you scan for weak code?
ii. Configuration Changes
iii. What do you use for guidance for going this?
b. Did previously deployed defenses help you?
c. Have any SOPs helped?
3. Education
a. Are customers aware of the problem?
b. Are they taking action?
c. Are they successful in detection or prevention?
d. Where are they going for their information?
e. What information helps them the most
4. Requests for Microsoft
a. Are there specific tools or features you think Microsoft could create or change that would help?
b. What form of advice would help your customers?
Thanks for your time!
Zot O'Connor
MSRC Ecosystem Strategy Team
Partner Outreach
(425) 722-7575
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
More information about the nsp-security
mailing list