Dailydave mailing list archives
Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes)
From: "Olef Anderson" <olef.anderson () gmail com>
Date: Mon, 13 Nov 2006 16:45:48 -0800
On 11/13/06, Paul Melson <pmelson () gmail com> wrote:
-----Original Message----- Subject: Re: [Dailydave] "The organization I belong to doesn't have initals"(that evil dude in Heroes) That's a misleading way to frame the conversation, don't you think? A pen-test isn't supposed to answer the yes/no question, "Can you be hacked?" It's supposed to ask the open-ended questions, "How can you be hacked?" and "How can you fix it?"
The answer to "How can you fix it?" relies on partially what Dave is saying. You basically need a 2 tiered game plan. One; have a separate network for Internet, email, browsing and such similar junk (segmentation). Two; build and manage a skilled in house penetration/research team or have a permanent consultancy gig with a company like Immunity (continuous assessment). All the other options are futile and a total waste of money. Other options you ask ? First there was the IDS which nobody serious enough does offer as a security solution anymore, wisely enough. Than there was the HIPS; eeye, determina, entercept etc. which was also proven to be just another security hoax in every sense to it. And finally something more meaningful arose from the industry; Virtualization. VMs per nodes (internet, corporate etc.) yet another segmentation idea which in my personal belief will eventually be broken as well in the next 2 to 3 years time frame and would be the next most joyful hacking/REing gig for any serious researcher. So back to the real hardware segmentation business along side with a dedicated team of researchers for auditing everything on the public segment is the only viable and real solution. A lot you might feel like i piss in your cup of tea or something. Please leave the corporate puppeteering behind and think twice. If you are in the IDS business you expired well over 10 year by now, if you are in the IPS business well lets say you made sense in the early 2000s but not anymore. Virtualization, yeah quite a fresh start but wonder how long will it survive till the first batch of attacks reveal themselves (not necessarily publicly though) ... If you did not like what I just said and work or own a security company making one of mentioned type of product, I urge you to put your product to the test! Any decent prize money would do but remember real 0day that a hacker would be OK to reveal, given the right terms, does not go with the ZDI/idefense standards, they are much precious than that and requires a much bigger pay. my prediction is any NIDS can be broken for a prize money of $30K (if asic, fpga based solution multiply by 2), any HIPS $200K - $250K, Virtualization $300K - $350K should do. I am looking forward to hear some hard cash challenges rather than the usual rants from corporate emails ... cheers, olef
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- "The organization I belong to doesn't have initals" (that evil dude in Heroes) Dave Aitel (Nov 12)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Tito Villalobos (Nov 13)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Pete Herzog (Nov 13)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Steve Manzuik (Nov 13)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Paul Melson (Nov 13)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Steve Manzuik (Nov 13)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Olef Anderson (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Nicolas RUFF (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) David Maynor (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Daniel (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Siim Põder (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Matt Richard (Nov 15)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) dan (Nov 16)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Rhys Kidd (Nov 16)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Matt Richard (Nov 16)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Dave Aitel (Nov 16)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Tito Villalobos (Nov 13)