Hi Erin,
I always switch between these two points of view. My experience shows me
that the best way to improve the defense is to try to think as real
attacker and so block the attacks on the first line.
3 small examples :
- On a web site. Every attacker will try to request the uri /admin/. You
could then put a passwd.bak file in this directory. But, in this file,
instead of list a user/pwd, you put a message like "We log everything
and call the law enforcement for each tries".
- Modify your banners with crafted system/release. On a postfix, you can
define the banner with "OS/390 SMTP GW".
- For dynamic scripts (or on your reverse-proxy), if the system gets a
input with a 'quote' (like "script.jsp?param=anything'anything"), the
server could return a message telling that "sql injection is forbidden
and all attempts are logged and traced" or banish the ip address for
20sec every 2 attempts.
These examples could seem "kiddies things", but if a real hacker tries
to penetrate your systems, he could be really disappointed by these
tricks and pass his way on another website.
Another difference between the "offense" and the "defense" methods is
that the 'offense' method is cheaper than the "defense thinking". No
need to buy expensive editor products (which are often bullshits for
people who think that their security level depends on how many firewalls
they have).
Of course, the "defense think" is important (crypto, user's rights,
firewall), but a bit of "offense think" is not expensive and improves
the overall security level.
Fred.
Erin Carroll wrote:
All,
I was having an interesting discussion with a coworker the other day about
the differences between pen-testing (offense) and network security work
(defense) which we do in our day jobs. The majority of my security
background has been from a penetration standpoint so the way I view network
security defense setups and priorities tends to be of the "how would I break
this and get in" viewpoint rather than the "how do I secure this and ensure
reliable reporting/monitoring" view that my coworker is more centered on.
The differences in the priorities and methods we would choose to secure our
network for defense was much different than I anticipated.
So I was hoping some list members would share some similar experiences with
us. How many of you have switched between offense/defense and what were some
of the stumbling blocks or key differences you found in how you approached
your goals? Is it worth it to cross-train in some manner? How have you sold
someone on the advantages of penetration-testing your network to quantify
and test the effectiveness of your existing defenses?
I would be interested to hear some cases you have run into out there.
--
Erin Carroll
"Do Not Taunt Happy-Fun Ball"
--
Frederic Charpentier - Xmco Partners
Security Consulting / Pentest
web : http://www.xmcopartners.com/tests-intrusion.html
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
