[Dshield] How representative?

Mrcorp mrcorp at yahoo.com
Tue Mar 25 17:35:09 GMT 2003


The best approach is security in layers.  How many itmes do we hear that?  But I would like to add
another comment to that phrase.  

we have to imagine a scale.  Like the one you see at the old farmer markets, with two trays.  on
one side they put the weights, and on the other they put your fruit.  Security could be considered
on that scale.  One one end, we have a completly open network or system, no ACL and no security,
out of the box.  This system is completly usable and cost nothing to secure.  

Then, on the other scale, you have a completly locked down system, limited access and usability. 
Probably useless to the user and/or business.  We have to detemine where on the scale we should
be.  Another factor of this equation is the risk formula.  Risk=threat*vulnerability*cost and what
is acceptable to the business.  That will also help you determine where on the scale you should
be.

This is the approach I have found to work when talking to upper management or the business, and I
have been successful with it.

Mrcorp

--- Deb Hale <haled at pionet.net> wrote:
>  
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> 
> I would be very interested in seeing the findings.  I have a cable connection at my office and a
> wireless connection at my house.  I am seeing basically the same things that my business
> customers are seeing.  And I agree with you that there is no such thing as being "completely
> secure".  New exploits happen on a regular basis.  How do you secure against the unknown?
> 
> 
> - -----Original Message-----
> From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf Of Mrcorp
> Sent: Tuesday, March 25, 2003 10:31 AM
> To: General DShield Discussion List
> Subject: Re: [Dshield] How representative?
> 
> 
> I just want to interject here for a second.  The comments about being "Completly secured" are
> most interesting.  Security isnt an endpoint.  YOu never "become" secure.  its a process that
> never ends.  If one could achieve complete security, I would be out of a job.  Additionally, I
> am studying the Cable and DSL attacks in great detail now through several honeynets (networks
> with several workstations and servers).  The attacks that I am seeing on these networks are the
> same that I have seen on many companies that I worked for. 
> 
> I will post a formal writeup of my findings when complete.
> 
> Mrcorp
> 
> - --- Jeff Kell <jeff-kell at utc.edu> wrote:
> > Chateauneuf wrote:
> > > At 11:59 PM 3/24/2003 +0100, Henric Lindblad authored the following:
> > > 
> > >> Honestly I don't think the average DSL/Cable subscriber gets many 
> > >> actual "intrusion attempts"... They do get scanned a lot but most 
> > >> scans don't actually result in a intrusion attempt.
> > 
> > > I'm not so sure that I agree. FWIW, I think that the difference 
> > > between
> > > a port scan and an intrusion attempt is the level of security.
> > 
> > Precisely.  If your setup is completely secured, you drop the packet
> > without further question.  You might be able to differentiate between a 
> > "scan" and an "intrusion attempt" from an ICMP or UDP packet, but for 
> > TCP issues, you never allow it to get beyond the initial SYN unless you 
> > have a real live server behind it.  You would have to "honeynet" every 
> > service to get far enough to detect a TCP-based exploit.
> > 
> > Jeff
> > 
> > _______________________________________________
> > list mailing list
> > list at dshield.org
> > To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 
> 
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0
> 
> iQA/AwUBPoCIRDxOOHZjYde8EQJRdQCgy1tMCYPFyB5XiSKdD3dkGWV/faoAn0nX
> 7T78D4goOni9g+wKlDHO/e7y
> =FUTi
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


__________________________________________________
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com



More information about the list mailing list