Unbalanced reliance on prevention
On my last several ‘exit calls’ for security assessments I’ve wanted to ask the customer if they had anything alerting them to the activities performed.
The obvious need for detection is a tiresome mantra to repeat, given that prevention will always fail. In fact, is it not better to log all activities (e.g. syslog, netflow, successful sessions, etc.) in spite of using prevention tools? If knowing you’ve been compromised is a better state that not knowing, then isn’t it better to pay appropriate attention to all the events versus haphazardly trusting prevention solutions?
I just finished an external security assessment for a Bank which had an IPS enabled firewall. They requested two rounds of scanning: one with the IPS features enabled and the other with them disabled. Results: no difference. This from normal to aggressive scanning (full 65k scans, full vuln. scans from multiple tools, few metasploit shots, exhaustive brute forcing, etc.) and without any efforts to be elusive.
I’m betting if I ask this client if he noticed any activity spikes or if he was alerted to anything he’ll say no. Furthermore, I bet he has nothing setup to help him easily go check.
I’m running across more and more of these where it seems the first indicators of something bad is when actual fraud occurs. Compromise, theft of data, spread of attackers’ control -- all missed opportunities to detect and contain because of an unbalanced reliance on prevention tools.
