I recently saw a graphic where CIO’s and CSO’s were asked if regulatory compliance has improved the organization’s security posture. As you would expect, the CIO’s strongly agreed with the statement while CSO’s leaned more toward strongly disagree.

Well, now another thought comes to us infosec professionals from the legal world. We are already under lots of compliance requirements like BASELII, SOX, HIPAA, PCI-DSS, FISMA and such. But now another thought we have to contend with is “legally defensible” IT security. I agree that this idea does have it’s merits trying to get everyone talking the same language of risk and management. It is challenging enough to get information security talking the business language, but now we have to learn legalese? I think I’ll look to see if translate.google.com can help out with that!

Thanks for reading & let’s continue to be good network citizens!

NRC Prize for Cyberdeterrence Scholarship

Computer Science and Telecommunications Board Division on Engineering and Physical Sciences Policy and Global Affairs National Research Council

March 11, 2010

In a world of increasing dependence on information technology, the prevention of cyberattacks on a nation’s important computer and communications systems and networks is a problem that looms large. Given the demonstrated limitations of passive cybersecurity defense measures (that is, measures taken unilaterally by an organization to increase the resistance of an information technology system or network to attack), it is natural to consider the possibility that deterrence might play a useful role in preventing cyberattacks against the United States and its vital interests.

At the request of the Office of the Director of National Intelligence, the National Research Council (NRC) is undertaking a project entitled “Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy.” The project is aimed at fostering a broad, multidisciplinary examination of strategies for deterring cyberattacks on the United States and the possible utility of these strategies for the U.S. government.  As part of this project, the responsible committee is issuing a call for papers that address questions relevant to this broad topic.

To stimulate work in this area, the NRC is offering one or more monetary prizes for excellent contributed papers that address one or more of the questions of interest described in the section below entitled “Questions of Interest” in this call for papers.

The NRC strongly encourages prospective authors of such papers to submit a paper abstract of 500 words or less by April 1, 2010. If the NRC deems the abstract to be of sufficient quality, the author may be invited to submit a first draft paper by May 21, 2010. Based primarily on its evaluation of the draft paper, an author may be invited to participate in a workshop on June 10-11, 2010 in Washington DC to discuss his or her paper.   (In some cases, some amount of travel support for the workshop may be available, but the NRC cannot guarantee that all workshop invitees will receive such support.) After June 11, 2010 and whether or not the author has attended the workshop, the author should revise the paper as appropriate and provide a final draft by July 9, 2010.

Authors not wishing to submit abstracts and intermediate drafts must submit their final draft by July 9, 2010.

Any paper submitted by July 9, 2010-whether or not an abstract or a first draft was submitted earlier and whether or not the author was present at the workshop-will be eligible for prize consideration. In accordance with the recommendations of the cognizant committee, the National Research Council reserves the right to award zero, one, or more prizes for contributed papers. Winners (if any) will be notified by July 23, 2010; however, the award of a prize or prizes is contingent on the paper’s successful passage through the NRC review process, in which authors of papers are expected to modify their papers in accordance with a peer review process that will take place after submission.

An individual prize is $1000, and prizes will be awarded to papers rather than to individual authors (that is, a group of authors awarded a prize will share the prize).   Prize-winning papers will be published by the National Research Council in the fall of 2010.

The National Research Council reserves the right to make all decisions regarding acceptance or publication of submitted material, and its decisions are final.

Prospective authors may find useful background in the NRC report entitled Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities, available at http://www.anagram.com/berson/absnrcoiw.html in PDF and http://www.nap.edu/catalog.php?record_id=12651 in hard copy.

Paper requirements

All versions of a paper (that is, drafts and final submissions) must be between 4,500 and 7,500 words in length, and conform to the style guide (click here). In addition, the final submission of a paper must be accompanied by a signed release form (click here) certifying that:
(a) the submitted paper is original to the author(s);
(b) the submitted paper is previously unpublished.

All papers and copyright forms should be submitted to Gin Bacon Talati at vbtalati@nas.edu.

The Cognizant Committee

The committee roster and biographies of committee members can be found at http://www8.nationalacademies.org/cp/committeeview.aspx?key=49157.

Information About the National Research Council

The National Research Council (NRC) functions under the auspices of the National Academy of Sciences (NAS), the National Academy of Engineering (NAE), and the Institute of Medicine (IOM). The NAS, NAE, IOM, and NRC are part of a private, nonprofit institution that provides science, technology and health policy advice under a congressional charter signed by President Abraham Lincoln that was originally granted to the NAS in 1863. Under this charter, the NRC was established in 1916, the NAE in 1964, and the IOM in 1970. The four organizations are collectively referred to as the National Academies.

The mission of the NRC is to improve government decision making and public policy, increase public education and understanding, and promote the acquisition and dissemination of knowledge in matters involving science, engineering, technology, and health. The institution works to inform policies and actions that have the power to improve the lives of people in the United States and around the world.

Questions of Interest

The broad themes described below (lettered A-H) are intended to constitute a broad forward-looking research agenda on cyberdeterrence. Within each theme are a number of elaborating questions that are illustrative of those that the committee believes would benefit from greater exploration and analysis. Thoughtful research and analysis in these areas would contribute significantly to understanding the nature of cyberdeterrence.

A. Theoretical Models for Cyberdeterrence

1.      Is there a model that might appropriately describe the strategies of state actors acting in an adversarial manner in cyberspace? Is there an equilibrium state that does not result in cyber conflict?

2.      How will any such deterrence strategy be affected by mercenary cyber armies for hire and/or patriotic hackers?

3.      How does massive reciprocal uncertainty about the offensive cyberattack capabilities of the different actors affect the prospect of effective deterrence?

4.      How might adversaries react technologically and doctrinally to actual and anticipated U.S. policy decisions intended to strengthen cyberdeterrence?

5.      What are the strengths and limitations of applying traditional deterrence theory to cyber conflict?

6.      What lessons and strategic concepts from nuclear deterrence are applicable and relevant to cyberdeterrence?

7.      How could mechanisms such as mutual dependencies (e.g., attacks that cause actual harm to the attacker as well as to the attacked) and counterproductivity (e.g., attacks that have negative political consequences against the attacker) be used to strengthen deterrence? How might a comprehensive deterrence strategy balance the use of these mechanisms with the use of traditional mechanisms such as retaliation and passive defense?

B. Cyberdeterrence and Declaratory Policy

8.      What should be the content of a declaratory policy regarding cyberintrusions (that is, cyberattacks and cyberintrusions) conducted against the United States? Regarding cyberintrusions conducted by the United States? What are the advantages and disadvantages of having an explicit declaratory policy? What purposes would a declaratory policy serve?

9.      What longer-term ramifications accompany the status quo of strategic ambiguity and lack of declaratory policy?

10. What is the appropriate balance between publicizing U.S. efforts to develop cyber capabilities in order to discourage/deter attackers and keeping them secret in order to make it harder for others to foil them?

11. What is the minimum amount and type of knowledge that must be made publicly available regarding U.S. government cyberattack capabilities for any deterrence policy to be effective?

12. To the extent that a declaratory policy states what the United States will not do, what offensive operational capabilities should the United States be willing to give up in order to secure international cooperation? How and to what extent, if at all, does the answer vary by potential target (e.g., large nation-state, small nation-state, subnational group, and so on)?

13. What declaratory policy might help manage perceptions and effectively deter cyberattack?

C. Operational Considerations in Cyberdeterrence

14. On what basis can a government determine whether a given unfriendly cyber action is an attack or an exploitation? What is the significance of mistaking an attack for an exploitation or vice versa?

15. How can uncertainty and limited information about an attacker’s identity (i.e., attribution), and about the scope and nature of the attack, be managed to permit policy makers to act appropriately in the event of a national crisis? How can overconfidence or excessive needs for certainty be avoided during a cyber crisis?

16. How and to what extent, if at all, should clear declaratory thresholds be established to delineate the seriousness of a cyberattack? What are the advantages and disadvantages of such clear thresholds?

17. What are the tradeoffs in the efficacy of deterrence if the victim of an attack takes significant time to measure the damage, consult, review options, and most importantly to increase the confidence that attribution of the responsible party is performed correctly?

18. How might international interdependencies affect the willingness of nations to conduct certain kinds of cyberattack on other nations? How can blowback be exploited as an explicit and deliberate component of a cyberdeterrence strategy? How can the relevant feedback loops be made obvious to a potential attacker?

19. What considerations determine the appropriate mode(s) of response (cyber, political, economic, traditional military) to any given cyberattack that calls for a response?

20. How should an ostensibly neutral nation be treated if cyberattacks emanate from its territory and that nation is unable or unwilling to stop those attacks?

21. Numerous cyberattacks on us and our allies have already occurred, most at a relatively low level of significance. To what extent has the lack of a public offensive response undermined the credibility of any future U.S. deterrence policy regarding cyberattack? How might credibility be enhanced?

22. How and to what extent, if at all, must the United States be willing to make public its evidence regarding the identity of a cyberattacker if it chooses to respond aggressively?

23. What is the appropriate level of government to make decisions regarding the execution of any particular declaratory or operational policy regarding cyberdeterrence? How, if at all, should this level change depending on the nature of the decision involved?

24. How might cyber operations and capabilities contribute to national military operations at the strategic and tactical levels, particularly in conjunction with other capabilities (e.g., cyberattacks aimed at disabling an opponent’s defensive systems might be part of a larger operation), and how might offensive cyber capabilities contribute the deterrence of conflict more generally?

25. How should operational policy regarding cyberattack be structured to ensure compliance with the laws of armed conflict?

26. How might possible international interdependencies be highlighted and made apparent to potential nation-state attackers?

27. What can be learned from case studies of the operational history of previous cyberintrusions? What are the lessons learned for future conflicts and crises?

28. Technical limitations on attribution are often thought to be the central impediment in holding hostile cyber actors accountable for their actions. How and to what extent would a technology infrastructure designed to support high-confidence attribution contribute to the deterrence of cyberattack and cyberexploitation, make the success of such operations less likely, lower the severity of the impact of an attack or exploitation, and ease reconstitution and recover after an attack? What are the technical and nontechnical barriers to attributing cyberintrusions? How might these barriers be overcome or addressed in the future?

D. Regimes of Reciprocal/Consensual Limitations

29. What regimes of mutual self-restraint might help to establish cyberdeterrence (where regimes are understood to include bilateral or multilateral hard-law treaties, soft-law mechanisms [agreements short of treaty status that do not require ratification], and international organizations such as the International Telecommunications Union, the United Nations, the Internet Engineering Task Force, the Internet Corporation for Assigned Names and Numbers, and so on)? Given the difficulty of ascertaining the intent of a given cyber action (e.g., attack or exploitation) and the scope and extent of any given actor’s cyber capabilities, what is the role of verification in any such regime? What sort of verification measures are possible where agreements regarding cyberattack are concerned?

30. What sort of international norms of behavior might be established among like-minded nations collectively that can help establish cyberdeterrence? What sort of self-restraint might the United States have to commit to in order to elicit self-restraint from others? What might be the impact of such self-restraint on U.S. strategies for cyber conflict? How can a “cyberattack taboo” be developed (perhaps analogous to taboos against the use of biological or nuclear weapons)?

31. How and to what extent, if any, can the potency of passive defense be meaningfully enhanced by establishing supportive agreements and operating norms?

32. How might confidence-building and stability measures (analogous to hotline communications in possible nuclear conflict) contribute to lowering the probability of crises leading to actual conflict?

33. How might agreements regarding nonmilitary dimensions of cyberintrusion support national security goals?

34. How and to what extent, if at all, should the United States be willing to declare some aspects of cyberintrusion off limits to itself? What are the tradeoffs involved in foreswearing offensive operations, either unilaterally or as part of a multilateral (or bilateral) regime?

35.  What is an act of war in cyberspace? Under what circumstances can or should a cyberattack be regarded as an act of war.[1] How and to what extent do unique aspects of the cyber realm, such as reversibility of damage done during an attack and the difficulty of attribution, affect this understanding?

36. How and to what extent, if any does the Convention on Cyber Crime (http://conventions.coe.int/Treaty/EN/Treaties/html/185.htm) provide a model or a foundation for reaching further international agreements that would help to establish cyberdeterrence?

37. How might international and national law best address the issue of patriotic hackers or cyber patriots (or even private sector entities that would like to respond to cyberattacks with cyber exploitations and/or cyberattacks of their own), recognizing that the actions of such parties may greatly complicate the efforts of governments to manage cyber conflict?

E. Cyberdeterrence in a Larger Context

38. How and to what extent, if at all, is an effective international legal regime for dealing with cyber crime a necessary component of a cyberdeterrence strategy?

39. How and to what extent, if at all, is deterrence applicable to cyberattacks on private companies (especially those that manage U.S. critical infrastructure)?

40. How should a U.S. cyberdeterrence strategy relate to broader U.S. national security interests and strategy?

F. The Dynamics of Action/Reaction

41. What is the likely impact of U.S. actions and policy regarding the acquisition and use of its own cyberattack capabilities on the courses of action of potential adversaries?

42. How and to what extent, if at all, do efforts to mobilize the United States to adopt a stronger cyberdefensive posture prompt potential adversaries to believe that cyberattack against the United States is a viable and effective means of causing damage?

G. Escalation Dynamics

43. How might conflict in cyberspace escalate from an initial attack?
Once cyber conflict has broken out, how can further escalation be deterred?

44. What is the relationship between the onset of cyber conflict and the onset of kinetic conflict?  How and under what circumstances might cyberdeterrence contribute, if at all, to the deterrence of kinetic conflict?

45. What safeguards can be constructed against catalytic cyberattack? Can the United States help others with such safeguards?

H. Collateral Issues

46. How and to what extent do economics and law (and regulation) affect efforts to enhance cybersecurity in the private sector? What are the pros and cons of possible solution elements that may involve (among other things) regulation, liability, and standards-setting that could help to change the existing calculus regarding investment strategies and approaches to improve cybersecurity? Analogies from other “protection of the commons” problem domains (e.g., environmental protection) may be helpful.

47. What are the civil liberties implications (e.g., for privacy and free expression) of policy and technical changes aimed at preventing cyberattacks, such as systems of stronger identity management for critical infrastructure? What are the tradeoffs from a U.S. perspective? How would other countries see these tradeoffs?

48. How can the development and execution of a cyberdeterrence policy be coordinated across every element of the executive branch and with Congress? How should the U.S. government be organized to respond to cyber threats? What organizational or procedural changes should be considered, if any? What roles should the new DOD Cyber Command play? How will the DOD and the intelligence community work together in accordance with existing authorities? What new authorities would be needed for effective cooperation?

49. How and to what extent, if any, do private entities (e.g., organized crime, terrorist groups) with significant cyberintrusion capabilities affect any government policy regarding cyberdeterrence? Private entities acting outside government control and private entities acting with at least tacit government approval or support should both be considered.

50. How and to what extent are current legal authorities to conduct cyber operations (attack and exploitation) confused and uncertain? What standards should govern whether or not a given cyber operation takes place? How does today’s uncertainty about authority affect the nation’s ability to execute any given policy on cyberdeterrence?

Research contributions in these areas will have greater value if they can provide concrete analyses of the offensive actors (states, criminal organizations, patriotic hackers, terrorists, and so on), motivations (national security, financial, terrorism), actor capacities and resources, and which targets require protection beyond that afforded by passive defenses and law enforcement (e.g., military and intelligence assets, critical infrastructure, and so on).

[1] The term “act of war” is a colloquial term that does not have a precise international legal definition. The relevant terms from the UN Charter are “use of force,” “threat of force,” and “armed attack,” although it must be recognized that there are no internationally agreed-upon formal definitions for these terms either.

Some of the useful ones that I have now downloaded to my spreadsheet library includes:

Template for assessing risk of Information Technology

Gantt chart for project management with work plan This is the template I was actually searching for since I didn’t really want to use Microsoft Project to build a quick chart. This met my needs and a sample chart looks something like below.

Project management templates (charter, budget, risk register, issues log, etc.)

Project management toolkit

Maturity model for evaluating different segments of IT infrastructure

There are many more on this excellent website. You might also be interested in checking out some of the other management topic links.

What tools did you find useful on this website?

Thanks for reading & let’s continue to be good network citizens!

Some of the content on eTutorials includes topics like:

Adobe:

• Adobe Illustrator CS
• Adobe Photoshop 7. How to
• Adobe Premiere 6.5. Teach yourself in 24 hours
• Adobe Indesign CS2. Professional Typography

Networking:

• Lan switching fundamentals
• Router firewall security
• Wireless lan security
• Integrated cisco and unix network architectures
• Lan switching first-step
• Mpls VPN security
• Beginner’s guide to wi-fi wireless networking
• 802.11 security. wi-fi protected access and 802.11i
• Wimax Technology for broadband wireless access
• Wireless community networks
• Network security assessment
• Network security hacks
• Network Management
• Wireless networks first-step
• LAN switching first-step

Certification:

• A programmer’s guide to java certification
• CCNP BSCI Official Exam Certification Guide
• Sun certified solaris 9.0 system and network administrator all-in-one exam guide
• Advanced DBA Certification Guide and Reference

Other technology sections include:

• Macromedia
• Programming
• SQL
• Server Administration
• Microsoft Products
• Mac OS
• Linux systems
• Mobile devices
• XML
• Misc

An example of the table of contents in the CCNP BSCI Official Exam Certification Guide tutorial includes the following sections:

CCNP BSCI Official Exam Certification Guide, Fourth Edition – Graphically Rich Book
Each chapter includes:
“Do I Know This Already?” Quiz
Foundation Topics
Foundation Summary
Q&A

Introduction
Part I: Introduction to Scalable Networks
Chapter 1. Network Design
Chapter 2. IP Address Planning and Summarization

Part II: EIGRP
Chapter 3. EIGRP Principles
Chapter 4. Scalable EIGRP

Part III: OSPF
Chapter 5. Understanding Simple Single-Area OSPF
Chapter 6. OSPF Network Topologies
Chapter 7. Using OSPF Across Multiple Areas
Chapter 8. OSPF Advanced Topics

Part IV: IS-IS
Chapter 9. Fundamentals of the Integrated IS-IS Protocol
Chapter 10. Configuring Integrated IS-IS

Part V: Cisco IOS Routing Features
Chapter 11. Implementing Redistribution and Controlling Routing Updates
Chapter 12. Controlling Redistribution with Route Maps
Chapter 13. Dynamic Host Control Protocol

Part VI: BGP
Chapter 14. BGP Concepts
Chapter 15. BGP Neighbors
Chapter 16. Controlling BGP Route Selection

Part VII: Multicasting
Chapter 17. What Is Multicasting?
Chapter 18. IGMP
Chapter 19. Configuring Multicast

Part VIII: IPv6
Chapter 20. Introduction to IPv6 and IPv6 Addressing
Chapter 21. IPv6 Routing Protocols, Configuration, and Transitioning from IPv4

Appendix A. Answers to Chapter “Do I Know This Already?” Quizzes and Q&A Sections

There is a LOT of tutorial content on this website! I would highly recommend using this resource for reference materials and increasing your knowledge in the technology topics offered.

Thanks for reading and please share with other IT Trenches readers what online tutorial resources you use for reference or education.

For specific details from the original researchers, visit the ExtendedSubset.com website. The summary of the announcement is shown below:

extendedsubset.com

Renegotiating TLS

Marsh Ray

Steve Dispensa

v1.1 November 4, 2009

Summary

Transport Layer Security (TLS, RFC 5246 and previous, including SSL v3 and previous) is subject to a number of serious man-in-the-middle (MITM) attacks related to renegotiation. In general, these problems allow an MITM to inject an arbitrary amount of chosen plaintext into the beginning of the application protocol stream, leading to a variety of abuse possibilities. In particular, practical attacks against HTTPS client certificate authentication have been demonstrated against recent versions of both Microsoft IIS and Apache httpd on a variety of platforms and in conjunction with a variety of client applications. Cases not involving client certificates have been demonstrated as well. Although this research has focused on the implications specifically for HTTP as the application protocol, the research is ongoing and many of these attacks are expected to generalize well to other protocols layered on TLS.

There are three general attacks against HTTPS discussed here, each with slightly different characteristics, all of which yield the same result: the attacker is able to execute an HTTP transaction of his choice, authenticated by a legitimate user (the victim of the MITM attack). Some attacks result in the attacker-supplied request generating a response document which is then presented to the client without any certificate warning or other indication to the user. Other techniques allow the attacker to forward or re-purpose client certificate authentication credentials.

Visit the website for details including:

extendedsubset.comThe full document in pdf format: Renegotiating_TLS.pdf

Some helpful protocol diagrams: Renegotiating_TLS_pd.pdf

Packet captures: renegotiating_tls_20091104_pub.zip

This one is definitely going to be interesting to watch. The excitement never ends in the security world. Leave a comment and let other ITKE readers know if you foresee any issues on this vulnerability or if you have taken any specific actions to address the risk. Thanks for reading and let’s continue to be good network citizens.

Clint Huffman Analyzes PerfMon Logs! Mr. Huffman is the creator of the Performance Analysis of Logs tool found at Codeplex. I have found this tool very useful in tracking down server issues to show folks “it’s not the network!”

Shane Creamer Goes Deep on Performance Monitor! This is a very interesting presentation. There is a link to the video presentation portion and another link to the various audio formats. The video presentation has a very long gap in audio at the beginning (almost 12 minutes). This is because the video portion is only capturing the presenter’s audio portion and not the commentators’. You really should download both audio and video to get the full impact of the presentation.

Steven Choy Measures Server Performance!

Other topics that might be of interest includes SQL, Active Directory, IIS, cloud (Azure), Powershell, virtualization, SharePoint, information security, and many other Microsoft-centric technologies. I have subscribed to the RSS feed so I can keep up with new presentations as they are released. If you run any Microsoft technologies, or you just want to learn about some recommended best practices, then check out this resource. There might be something here that will help you “save the day”.

Thanks for reading and let’s continue to be good network citizens!

Some things you will learn in this webinar:

• Using the Default Capture and Display Filters
• Creating a Few Hot Capture Filters
• Filtering Tips and Tricks for Troubleshooting
• Filtering Tips and Tricks for Security

Even if you are very familiar with Wireshark or other packet capture and protocol decode tools, Laura’s seminars are well worth attending. You might even find out a little tidbit here or there because Repetition is one of the keys of learning. Unfortunately I will not be able to attend this webinar since I will be on a golf vacation in North Carolina. So, if you attend this event, please come back and share with me and other IT Trenches readers what you learned and how valuable the webinar was for you.

Thanks for reading and let’s continue to be good network citizens!

According to Wikipedia, the three curses are:

• May you live in interesting times.
• May you come to the attention of those in authority (sometimes rendered May the government be aware of you)
• May you find what you are looking for

These curses have no time frame attached, so they could be true yesterday, today or tomorrow. The first curse about living in interesting times is very true for most IT shops. The challenges never seem to end but the funds do. The business requirements are fuzzy but the support requirements are real. What makes for interesting times in your role and your organization?

The second curse could be attached to information security services. It most assuredly should apply to those who employ botnets and trojans for unrighteous financial gain. The most recent reports of trojans and bots that can dynamically alter web pages during a banking transaction are very scary. Fortunately, information security professionals are aware of the threat and are working on addressing it.

The third curse may be applicable to those who support networks and need to answer the ever present question about “why is the network slow?” It seems like we are always pressed into identifying the reasons for slow application and service performance without having the toolset to do proper diagosis and troubleshooting. It then becomes a challenge to find what we are looking for.

Maybe IT is a cursed profession after all. What do you think? Is there a more cursed profession?

Thanks for reading and let’s continue to be good network citizens!

• Man in space and man landing on the moon
• Satellites
• Lasers
• Solar cells
• Transistors

Just think about all the marvels that have appeared in our world since the mid-1940′s. The relationship between those educated under the GI Bill and these technological advances is easy to see. Now, fast forward to today and the current economic conditions. What will happen in the next few years in the world of technology as a result of those who have lost jobs, being retrained in new skills and starting new careers? Maybe technological advances won’t be as rapid as those in the post WW2 era, but I expect some life-changing advances due to the education and skill changes resulting from the current education stimulus packages.

Electronic medical records, for example, will change both the patient’s and health care professional’s lives. The technology advance may not be sexy like lasers, but it may have a greater impact on the country we live in as a whole. Maybe we are living under the Chinese curse that goes “May you live in interesting times!”

Thanks for reading and let’s continue to be good network citizens!

One particular bulletin is creating some concerns for Microsoft Windows 2000 users. MS09-048 is a bulletin for a vulnerability to the TCP/IP stack in all current supported versions of Windows. The bulletin describes the vulnerability:

Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)

This security update resolves several privately reported vulnerabilities in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. The vulnerabilities could allow remote code execution if an attacker sent specially crafted TCP/IP packets over the network to a computer with a listening service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

Even though the bulletin here describes it as potential remote code execution, the webcast focused more on the denial of service threat due to this vulnerability. Unfortunately, Microsoft has chosen to not issue a patch for Windows 2000, even though Windows 2000 is a supported version of Windows with regards to patches and security fixes. ComputerWorld gives a good amount of detail in the article: Microsoft: Patching Windows 2000 ‘infeasible’ Dark Reading published Microsoft, Cisco Issue Defenses For TCP Denial-Of-Service Attack and The Register published Microsoft, Cisco issue patches for newfangled DoS exploit.

I know that there is a reasonable population of Windows 2000 machines in operation at my organization. So, this choice by Microsoft to not issue a patch for this vulnerability raises some concerns. Fortunately the vulnerable population is not publicly exposed and does not have mobile users. The layered defenses we have in place should help mitigate the risks to our environment. However, the risk is still there and the threat needs to be addressed. What other vulnerability will come out that Microsoft chooses not to address in a supported operating system? Are you facing the same situation in your environment? How large is the risk to your environment? What are you doing to address these threats? Why are you doing what you are doing? Share your thoughts with other ITKE readers.

Thanks for reading & let’s continue to be good network citizens.