Q: “Will I Get Hacked?” is Wrong Question

by

The question should be “When will I get Hacked?”

Internet Storm center went to Threat level Yellow today:

Internet Storm Center threat status:Internet Storm Center Infocon Status

(this morning on 17th threat level went back to Green) – threat Activity died down fortunately and enough of us are patching.

 

The reason it went yellow for a day is that there are new vulnerabilities in Windows that are to be patched this week (Tuesday the 14th was patch Tuesday)

 

here is an excerpt of the FAQ at https://isc.sans.edu/

 

1 – Which Versions of Windows Are Vulnerable?

Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. HTTP.sys is used by any version of IIS running on one of these operating systems. HTTP.sys was introduced with IIS 6.

5 – How do I know if I am vulnerable?

Send the following request to your IIS server:

GET / HTTP/1.1
Host: MS15034
Range: bytes=0-18446744073709551615

If the server responds with “Requested Header Range Not Satisfiable”, then you may be vulnerable.

6 – Can this vulnerability be exploited to do more then a DoS?

In it’s advisory, Microsoft considered the vulnerability as a remote code execution vulnerability. But at this point, no exploit has been made public that executed code. Only DoS exploits are available.
There also appears to be an information disclosure vulnerability. However, it requires that the “lower end” of the range is > 4GB, and this would require a file on the server that is larger then 4GB to work.

11 – Will IIS Request Filtering Protect Me?

No. IIS Request Filtering happens after the Range header is parsed.

References:

Remote Code Execution Via HTTP Request In IIS On Windows


https://technet.microsoft.com/library/security/MS15-034
​https://support.microsoft.com/en-us/kb/3042553
http://blogs.360.cn/blog/cve_2015_6135_http_rce_analysis (Chinese)

—————————————————————————————————————————–

 

But this is just one set of (new)exploits available today, there are lots more available to hackers.

The problem is that typical companies are complacent in security. There is no plan in handling the new level of security that must be performed.  In this year we will get new security vulnerabilities in our infrastructures, and this means exploits will be created and thus hackers _WILL_ hack you not ‘if’.

What you have to do is decide how to handle this new normal…

 

Last year there were several such new vulnerability and exploit problems being introduced. these exploits are still exploitable by the way. If you did not make sure that your systems are patched then it is time to do so.

 

This is why we recommend that:

Riskmanagmentsystemsprocess   Needs to be iterative and consistent with a lot of test cycles. thus the end result is a secure environment.

Even when one makes more time with security concerns, there will be a good chance that there will be a successful exploit of your network or systems.

My assertion due to the large amount of vulnerabilities and any potential for configuration mistakes, the question should be:

“When will I get Hacked?”

 

riskmanagmenthackedmatrix

One of our most read posts:

http://oversitesentry.com/why-risk-management-model-failed-us/

 

Cyber Risk: it is obvious to me of the ease one can hack machines, too bad I can’t automatically transfer this knowlesge to you.

http://oversitesentry.com/is-your-cyber-risk-manageable/

hospitalshacked

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.