Know thy network well
There is a good newsgroup thread running on Dailydave.
http://seclists.org/dailydave/2008/q4/0085.html
The takeaways are familiar reminders for the cognoscenti, but it’s still good to read and good for referencing.
“Patch management, IDS, Anti-Virus, scanners of all shapes and sizes. Audits” don’t work against competent attackers.
I'm a big fan of using tools that help me get visibility into what is happening on a network, which is why I like these statements:“And they [Penetration testers] agreed on two things: the threats you know about are not the ones you need to worry about; and every network is own-able. Every. Single. One.”
“If you accept the premise that it's not possible to protect every asset (or even protect any single asset completely), then the logical action is to identify the most valuable assets and secure them to the best of your ability” column by Dennis Fisher
“Baseline system and network behaviour. Analyse any abnormal behaviour. (Easier said than done. You may never see anything.)” (raus)
“I would also note that it's misleading to say you should throw in the towel because one unpublished vuln can pop your box. There is more to it than that if you are doing your job right. Can they pop it without being discovered... for how long, and how often?” (Dragos Ruiu")
“The biggest threat to the average computer user is not zeroday vulnerabilities but system misconfigurations and vulnerabilities within third party applications. Most organizations are only just starting to get a handle on patching Microsoft vulnerabilities let alone third party applications. This becomes even more apparent with consumers and small to medium sized businesses where they only have Windows Update and WSUS to depend on. There is simply no third party patching being done in these environments making it a LOT more likely for them to get owned with a 6 month old Adobe Acrobat vulnerability than some zeroday vulnerability. This is currently the lowest hanging fruit for attackers and does not require an attacker to have large sums of money to waste on buying zeroday attacks.
It’s clear security teams must deploy tools that add to their sense of understanding for what is normal activity. You want intuition and clarity. You want to have that gut-instinct and confidence that you can detect if something is not quite right. The way to do that is to deploy tools that enchance visibility (i.e. tools that show you traffic patterns and volumes, running applications, logins, tools that point out unusual activity, etc.).
Thanks for highlighting that thread. I’ve been neglecting that mailing list and have missed it!
I like Marc’s point, and I agree fully. I also agree fully with the idea that we are all vulnerable. It’s an assumption we need to make in order to move forward without pretending false truths.