Security Basics mailing list archives
Re: [Silly analogy]
From: Ed Spencer <espencer () usa net>
Date: Sun, 21 Mar 2004 16:35:17 -0900
Silly analogies? Why not use one that I've used before and from what I can tell it seems pretty accurate. Port scanning is like driving down the street making a list of every window, door or opening on your house. The problem is that they only list one window/door/opening every time they drive down your street (showing the potential increase in traffic over normal from a single host/car). If you go further and identify the version of the services that are running it's like making a note of the manufacturer of every one of those openings, and what type of room is on the other side. If you search for vulnerabilities based on the manufacturer/type of entrance it's like making a note of how to bypass the locks on each of those types of entry points. Keep in mind that technically you've broken no laws up to this point. If the police were notified you'd likely be stopped for questioning, but probably not arrested. The reason is that at no time does port scanning make a list of what's inside the room/the type of data being stored (hence the lack of peeking in the window type analogies), identify a specific vulnerability (checks to see if the door/window is locked/if the service can be exploited), or attempt to gain unauthorized access (push on the door/try to lift the window/try to gain access to protected data). All of these type of events would be performed by security scanning software, hacker/cracker tools, or other similar means. These types of checks are also highly suspect and in most cases, illegal. An additional note I usually add when I discuss this with a class is that if this is done by knowledgeable security personnel within the company it's like the police/hired security company doing the same thing, only they you should get a list of things you should do to prevent someone from kicking in your door/smashing your window, etc. This makes you more secure in your own home/workplace and should be done on a semi-regular basis. Analogies are a great teaching tool as long as they are effective in identifying what's actually going on. Of course, if you think my analogy is crazy/silly/whatever, that's your perogative. Just thought I'd share what I've used with the students I've had in the past to have them understand more clearly. Ed Spencer MCSE/MCT/MCP/CNA/A+/Security+/Network+ Network Technican University of Alaska Fairbanks. "Joe Dumass" <joe_dumass () hotmail com> wrote:
Ok, I'd like to make my silly analogy of port scanning... It's not the benign peeking in windows thing; I mean, come on, it's not THAT
passive. I'd liken it to knocking on a door to see if someone's home, and then running away if someone answers / opens the door. Annoying yes. Illegal? I wouldn't think so, unless someone's got a restraining order out
on you. But if the door's a-knocking, watch out for flaming bags of dog turds.Would you please stop making up stupid anlogies? Thank you. A port scan is not telling someone what's inside your house. It tells just which of the stores in the basement are open.OK, the analogies are getting really silly._________________________________________________________________ Get reliable access on MSN 9 Dial-up. 3 months for the price of 1! (Limited-time offer)
http://click.atdmt.com/AVE/go/onm00200361ave/direct/01/
--------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
--------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Re: [Silly analogy] Ed Spencer (Mar 23)