Re: lots of monkeys staring at a screen....security?

["Ross Brown" <rbrown () eeye com>]

There is a pareto curve for everything, including attacks.  The IPS/IDS
network layer products are going to be an effective filter against the
mass attacks that are known (think broad and common), not the uncommon
and targeted. In other words, it's a fairly effect noise filter, but not
an effective solution against someone who is targeting your network with
both intellect and determination. One vulnerability can lead to N
exploit variants both N(known) and N(unknown).  The NIPS products are
great for the N(known), but the monetary value in being a bad guy is in
the creation and relative scarcity of N(unknown) variants for known
vulnerabilities, where the NIPS products are typically creating the
illusion of security.

In other words, if your smart and want in, typical network IPS isn't
gonna slow you down too much.

RB

____________________________________ 
Ross Brown
Chief Executive Officer
eEye Digital Security
949.900.4121 (o)
949.463.7146 (m)  
rbrown () eeye com
 
Professional Profile and Blog
FREE Trial Downloads: Visit www.eeye.com to download trial versions of
our award-winning proactive security software, including: Retina(r)
Network Security Scanner, SecureIIS(tm) Web Server Protection, and
Iris(r) Network Traffic Analyzer. Review upcoming advisories at
www.eeye.com/html/Research/Upcoming/index.html .

Important Notice: This email is confidential, may be legally privileged,
and is for the intended recipient only.  Access, disclosure, copying,
distribution, or reliance on any of it by anyone else is prohibited and
may be a criminal offense.  Please delete if obtained in error and email
confirmation to the sender. 

-----Original Message-----
From: dailydave-bounces () lists immunitysec com
[mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Joanna
Rutkowska
Sent: Monday, October 30, 2006 6:39 AM
Cc: dailydave
Subject: Re: [Dailydave] lots of monkeys staring at a
screen....security?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> On 10/29/06, Joanna Rutkowska <joanna () invisiblethings org> wrote:
> >
> Kevin Johnson wrote:
> > Part of any defense is the ability to detect when things fail.  I 
> > think that we want to throw out technology because it doesn't do 
> > everything.  I see every day systems being attacked by simplistic old

> > attacks that IDS systems can warn you about.
>
> I might be missing something, but I really don't get why we should 
> care about all those "simplistic old attacks" - shouldn't we already 
> be immune to them?
>
> joanna.

hey, let's do the bottom-posting, shall we? ;)

> David Maynor wrote:
> > No, everytime somebody does a fresh install of Windows 2000 for some 
> > project and doesn't update to the current patch levels you can be hit

> > by those same old attacks. Alot of people forget that not every 
> > company in the world is focused on security and as long as something 
> > works doing things like applying patches or upgrading to the latest 
> > versions is not the most important thing.

That's the point! So many people think that they can be lazy with
patching because they have an IDS/IPS which is going to protect them...
But the ID/PS is usually capable of blocking only known exploits for a
particular bug. So, in fact, it doesn't even protect them against the
old vulnerabilities being exploited, only against the old, unmodified
exploits. Not to mention tricks, like Dave's "covertness bar" :)

joanna.
-----BEGIN PGP SIGNATURE-----

iD8DBQFFRg54ORdkotfEW84RAuJMAKCPZV0fw8Fl8QyanmOjwfDiQHp6IgCfQ5tK
5RcEMX5fYTEmeC28LNddXKI=
=EZdt
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave