Dailydave mailing list archives
RE: New presentation is up: 0days: How hacking reallyworks
From: "Maynor, David \(ISS Atlanta\)" <dmaynor () iss net>
Date: Tue, 1 Feb 2005 13:43:57 -0500
When the technology enforcing the security policy has no true enforcement or auditing of privilege transitions, modeling the effectiveness of a containment measure is not possible.
There is far more to security than just products. Customers who just think "hey I bought a firewall" or "this IPS will keep me safe" are deluding themselves. This is where pentesting and consulting come into play, IMHO. In addition to buying the products, they have to be deployed correctly. A good deployment is generally based on a company's security policy. Since most companies have CTO or CIO approval on their security policy, violations of it is actionable. Pentesting can ferret out bad product deployments as well as ineffective security policies.
The technology in use by most today simply fails in the presence of malice. I do not currently know of a way to deliver this "correctly designed network that is capable of withstanding 0days" without using technology like Mandatory Access Controls, Domain and Type Enforcement, Network Labels, etc. How many corporate networks have you audited that are using that technology. I haven't seen many.
That's the point of pentesting. You are supposed to show that with out certain technology and policies in place the network is very ownable. This isn't rocket science; most of the policies can start with things like a good password policy. I don't know many pentester that haven't got at least initial access with password auditing. Aside from that a company has to evaluate their own services and requirements for what should be done next. A thing like companies running all of its mission critical applications on the same machine with the same userid and password as every other machine on the network is bad. It is a single point of failure. It doesn't take a an elite hacker with 0day to bring a company like that down, a script kiddie with a DDoS network can do it. A lot of this stuff comes to the surface when a company does disaster recovery planning as well. The idea I try to pass to people is that a network should be designed with no single points of failure and if a department, like marketing for instance, is infected with a worm or virii it should not be able to affect the rest of the company. This idea extends to hackers as well. If a hacker gains access to a departmental PDC he should not be able to use that access to jump to different departments or parts of the company. It all comes down to minimizing single points of failure while compartmentalizing networks. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- RE: New presentation is up: 0days: How hacking reallyworks Maynor, David (ISS Atlanta) (Feb 01)
- Re: New presentation is up: 0days: How hacking reallyworks robert (Feb 01)
- <Possible follow-ups>
- RE: New presentation is up: 0days: How hacking reallyworks Maynor, David (ISS Atlanta) (Feb 01)
- Re: New presentation is up: 0days: How hacking reallyworks Kevin Ponds (Feb 01)
- Re: New presentation is up: 0days: How hacking reallyworks Ron Gula (Feb 01)
- Re: New presentation is up: 0days: How hacking reallyworks Kevin Ponds (Feb 01)
- Re: New presentation is up: 0days: How hacking reallyworks Ron Gula (Feb 01)
- Re: New presentation is up: 0days: How hacking reallyworks Hamid . K (Feb 01)
- Message not available
- Re: New presentation is up: 0days: How hacking reallyworks David Stein (Feb 02)
- Re: New presentation is up: 0days: How hacking reallyworks Holden Williamson (Feb 05)
- Re: New presentation is up: 0days: How hacking reallyworks Holden Williamson (Feb 05)
- Re: New presentation is up: 0days: How hacking reallyworks Anthony Zboralski (Feb 06)
- Re: New presentation is up: 0days: How hacking reallyworks Kevin Ponds (Feb 01)