RE: New presentation is up: 0days: How hacking reallyworks

["Maynor, David \(ISS Atlanta\)" <dmaynor () iss net>]

> When the technology enforcing the security policy has no true
> enforcement or auditing of privilege transitions, modeling the
> effectiveness of a containment measure is not possible.

There is far more to security than just products. Customers who just
think "hey I bought a firewall" or "this IPS will keep me safe" are
deluding themselves. This is where pentesting and consulting come into
play, IMHO. In addition to buying the products, they have to be deployed
correctly. A good deployment is generally based on a company's security
policy. Since most companies have CTO or CIO approval on their security
policy, violations of it is actionable. Pentesting can ferret out bad
product deployments as well as ineffective security policies. 

> The technology in use by most today simply fails in the presence of
> malice.  I do not currently know of a way to deliver this "correctly
> designed network that is capable of withstanding 0days" without using
> technology like Mandatory Access Controls, Domain and Type Enforcement,
> Network Labels, etc.  How many corporate networks have you audited that
> are using that technology.  I haven't seen many.

That's the point of pentesting. You are supposed to show that with out
certain technology and policies in place the network is very ownable.
This isn't rocket science; most of the policies can start with things
like a good password policy. I don't know many pentester that haven't
got at least initial access with password auditing. 

Aside from that a company has to evaluate their own services and
requirements for what should be done next. A thing like companies
running all of its mission critical applications on the same machine
with the same userid and password as every other machine on the network
is bad. It is a single point of failure. It doesn't take a an elite
hacker with 0day to bring a company like that down, a script kiddie with
a DDoS network can do it. A lot of this stuff comes to the surface when
a company does disaster recovery planning as well. 

The idea I try to pass to people is that a network should be designed
with no single points of failure and if a department, like marketing for
instance, is infected with a worm or virii it should not be able to
affect the rest of the company. This idea extends to hackers as well. If
a hacker gains access to a departmental PDC he should not be able to use
that access to jump to different departments or parts of the company. It
all comes down to minimizing single points of failure while
compartmentalizing networks. 

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave