http://blog.clearnetsec.com/articles/tag/logs en-us 40 <p>There is nothing I’ve seen recently to promote a valuable exercise to do after receiving a security assessment. That is, as the client, <b><i>what did you see?</i></b> </p> <p> Did you have anything alert you? If so, what did it suggest? Did you have enough information to piece together what was happening? <i>(Bonus: do you know which tools were fired towards your IPs?)</i> </p> <p> The majority of my clients have no clue if anything occurred. That’s bad. Businesses which have little to lose may decide to ignore investing in monitoring and detection, but for others it’s turning a blind eye. </p> <p> I’m going to dig a little deeper on future exit calls to get more information. I often ask clients if they detected any strange behavior, but there is definitely more room to expand the discussion. </p> Wed, 05 Sep 2007 19:37:00 -0600 urn:uuid:24cb4f05-698b-44aa-8bef-cd848ee81b28 tate@ClearNetSec.com (Tate Hansen) http://blog.clearnetsec.com/articles/2007/09/05/anything-alert-you ClearNet Security Tate Hansen ClearNet security assessments penetration testing logs detection <p> On my last several ‘exit calls’ for security assessments I’ve wanted to ask the customer if they had anything alerting them to the activities performed. </p> <p> The obvious need for detection is a tiresome mantra to repeat, given that <b><i>prevention will always fail</i></b>. In fact, is it not better to log all activities (e.g. syslog, netflow, successful sessions, etc.) in spite of using prevention tools? If knowing you’ve been compromised is a better state that not knowing, then isn’t it better to pay appropriate attention to all the events versus haphazardly trusting prevention solutions? </p> <img src="http://blog.clearnetsec.com/files/iStock_000002497333XSmall.jpg" align="right"> <p> I just finished an external security assessment for a Bank which had an IPS enabled firewall. They requested two rounds of scanning: one with the IPS features enabled and the other with them disabled. Results: no difference. This from normal to aggressive scanning (full 65k scans, full vuln. scans from multiple tools, few metasploit shots, exhaustive brute forcing, etc.) and without any efforts to be elusive. </p> <p> I’m betting if I ask this client if he noticed any activity spikes or if he was alerted to anything he’ll say no. Furthermore, I bet he has nothing setup to help him easily go check. </p> <p> I’m running across more and more of these where it seems the first indicators of something bad is when actual fraud occurs. Compromise, theft of data, spread of attackers’ control -- all missed opportunities to <b><i>detect and contain</i></b> because of an unbalanced reliance on prevention tools. </p> Wed, 28 Feb 2007 10:01:00 -0700 urn:uuid:3516c58f-49d4-4722-b69e-31ee53a6efa8 tate@ClearNetSec.com (Tate Hansen) http://blog.clearnetsec.com/articles/2007/02/28/unbalanced-reliance-on-prevention security ClearNet ClearNet Security Tate Hansen logs detection