Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes)

["Olef Anderson" <olef.anderson () gmail com>]

On 11/13/06, Paul Melson <pmelson () gmail com> wrote:
> -----Original Message-----
> Subject: Re: [Dailydave] "The organization I belong to doesn't have
> initals"(that evil dude in Heroes)
>
> That's a misleading way to frame the conversation, don't you think?  A
> pen-test isn't supposed to answer the yes/no question, "Can you be
> hacked?"
> It's supposed to ask the open-ended questions, "How can you be hacked?"
> and
> "How can you fix it?"


The answer to "How can you fix it?" relies on partially what Dave is saying.
You basically need a 2 tiered game plan. One; have a separate network for
Internet, email, browsing and such similar junk (segmentation). Two; build
and manage a skilled in house penetration/research team or have a permanent
consultancy gig with a company like Immunity (continuous assessment). All
the other options are futile and a total waste of money. Other options you
ask ? First there was the IDS which nobody serious enough does offer as a
security solution anymore, wisely enough. Than there was the HIPS; eeye,
determina, entercept etc. which was also proven to be just another security
hoax in every sense to it. And finally something more meaningful arose from
the industry; Virtualization. VMs per nodes (internet, corporate etc.) yet
another segmentation idea which in my personal belief will eventually be
broken as well in the next 2 to 3 years time frame and would be the next
most joyful hacking/REing gig for any serious researcher. So back to the
real hardware segmentation business along side with a dedicated team of
researchers for auditing everything on the public segment is the only viable
and real solution.

A lot you might feel like i piss in your cup of tea or something. Please
leave the corporate puppeteering behind and think twice. If you are in the
IDS business you expired well over 10 year by now, if you are in the IPS
business well lets say you made sense in the early 2000s but not anymore.
Virtualization, yeah quite a fresh start but wonder how long will it survive
till the first batch of attacks reveal themselves (not necessarily publicly
though)  ...

If you did not like what I just said and work or own a security company
making one of mentioned type of product, I urge you to put your product to
the test! Any decent prize money would do but remember real 0day that a
hacker would be OK to reveal, given the right terms, does not go with the
ZDI/idefense standards, they are much precious than that and requires a much
bigger pay. my prediction is any NIDS can be broken for a prize money of
$30K (if asic, fpga based solution multiply by 2), any HIPS $200K - $250K,
Virtualization $300K - $350K should do. I am looking forward to hear some
hard cash challenges rather than the usual rants from corporate emails ...

cheers,
olef

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave