Re: IDS testing methodologies

["Stephen P. Berry" <spb () meshuggeneh net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Alvin Oga writes:

> in my book ... ( small world ) .. an IDS is not very useful, because, the
> cracker is already in your network ... game over ...

I couldn't agree less.

If the history of information security has taught us anything, it is that
any system can be compromised, and that any code---OS, application, script,
or whathaveyou---will eventually be found to contain exploitable bugs.

What does this tell us?  It tells us that relying entirely on prevention
is not a long-term survivable strategy.  Any sane information security
policy must (with the exception of a few goofy border cases) rely on:

        -Prevention (keeping the bad guys out)
        -Auditing (situational awareness)
        -Containment (controlling the failure mode and limiting exposure)
        -Remediation (damage control after the fact)

To rely on anything else is to rely on voodoo and wishful thinking.

I won't bore the list with a more long-winded discussion of this point,
but it strikes me that working as a wee sysadminling back in the days
where your MTA -was- sendmail(8) and your DNS -was- bind was probably
very good at teaching some of us the importance of not relying entirely
on prevention as a security strategy.  It's now, what, fifteen years
after the Morris worm?

Whenever I hear a security professional talk about a compromise being `game
over', I wonder what they -do-.



- -spb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (OpenBSD)

iD8DBQE/9eyJG3kIaxeRZl8RAvr5AJwLUioeUituD98cUZYjBE9iDFjBwwCgs9Xb
zsp4DCpCW9ziaxC3Q0ecHQw=
=q+Zr
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
---------------------------------------------------------------------------