Hi
This is the problem about considering any security countermeasures in isolation. Clearly, it is never enough to block at the firewall, although the context implied that script kiddies were increasing their scanning and ennumeration attempts ex perimeter and the stupidity would indeed be not to both block and stealth the port.
Dealing with any vulnerability requires:
1. Keeping your patching up to date
2. Keeping all your signature files up to date (anti virus, anti spam, content filtering etc)
3. You also need a solidly worded and technologically enforced home/location independent user policy which dictates exactly how users should use their laptops and as far as possible enforces this. e.g. childlock software to prevent them downloading or installing software, regular checks of Internet access records and email usage etc, regular antivirus updates, use good ISP (i.e. one who cares about security)
4. User awareness is equally important. Users should delete all suspicious email and attachments including from known contacts (if necessary, ring to check if the email was intended to be sent).
5. Emails should be plain text not html and active code should not be enabled to run from your email system. This prevents accidental or ignorant clicking on embedded links such as .stm extensions currently being passed around by phishing attacks. It also cuts out a lot of spoofing *** phishing attacks.
6. I would also suggest (if you are really serious about security) a 'friends only' email policy where only people whose email address you include on your system can send you mail and no one else can (it gets auto deleted as soon as it arrives). Apart from anything else, your productivity goes sky high as people are forced to phone you up or come and see you and you can deal with any problems/issues then and there. It also avoids emails piling up over the holiday period. :cool:
7. If you can afford it (big organisation), go for the self repairing network solutions where the network detects, stops and alerts at any anomalous behaviour. Alright normally it's just a wonky network card but better finding that out than losing your entire corporation's network to some S***OL%. The scary thing is not hackers with no stake in society, it's those with a wife, kids, mortgage and college fees.
@-hacker POV :lildevil:
1. Scanning should not be noticeable and should do as much as possible in one pass without being intrusive
- Stealth mode eg. netcat -t0 -s -v -O is obviously preferable if boring than an all out syn syn/ack ack straight run up the non standard ports which just stands out like a christmas tree (if you'll forgive the pun intended).
2. Deniability is everything. Better to own some zombies and scan from them than scan direct. Also hide the backward path in your socks.
3. Scans should be multivector (don't just rely on SYNs or UDP) although most packages now use a variety of methods.
4. De-pattern the scans. Fragmentation (teardrop) and frame overlapping helps especially when firewalking but really your scans should look like a user trying, trying again then walking away to get some coffee and then trying again a few hours later.
5. And always remember the key words - preparation, preparation, preparation. Good boy scouts go scouting first and scanning afterwards. An ounce of reconnaissance is worth a week of ennumeration. Corporations just leave information hanging around all willy nilly and sometimes you don't even need to be on their network to get what you want. I found this information on their public web server is a perfect defence.
6. Scanning for just the latest vulnerability opportunities is silly. Be systematic. It's unbelievable how much catch up sysadmins fail to do. Or oops they forgot to patch up to date a server they have just re-ghosted and guess who's just opened up a minor port or two on the firewall for a new application (like media streaming :D ) at management behest without telling the security manager.
