Firewall Wizards mailing list archives
Re: The value of detecting neutralized threats. (was RE: IDS blah blah)
From: David LeBlanc <dleblanc () mindspring com>
Date: Thu, 28 Jan 1999 08:22:36 -0500
At 01:29 PM 1/26/99 -0800, Dominique Brezinski wrote:
OK, here is a classic example of theory versus practicality. I agree in theory with John. I personally want to know every time someone tries to do anything to my network that is not in my best interest. However, the practicality of analyzing every possible threat is way beyond the means of most organizations (and individuals for that matter).
I've seen several new exploits come to light because someone was logging traffic to machines when they crashed. There is some value in collecting the data even if you do not use all of it to full potential.
Security is about risk reduction, not threat annihilation.
A threat which has been annihilated is no longer a risk 8-) Seriously, if more script kiddies got busted to some extent, maybe there wouldn't be quite so many of them.
It is not a matter of cost but of capability. Few organizations have the staff with the skills and understanding necessary to have a functional threat detection capability. There are many policies and procedures that go with threat detection that few ever think about: response policy, evidence handling and integrity, escalation procedures, information containment, and appropriate external contacts.
When and how do you respond to a possible threat? Do you shut critical systems down? Do you attempt to trace the connection back? How?
[more good questions snipped] All of this is assuming a worst-case scenario where you've got a skilled attacker who is effectively covering their tracks, and the attack is of a magnitude where you are concerned about prosecution. Under those conditions, it is indeed a lot of trouble. However, for a majority of cases, you've got some script kiddie coming at you from an ISP or a dorm room, and they are looking for Back Orifice on all of your UNIX and NT boxes <g>. When that's what is going on, it frequently only takes one call or e-mail to the admin to shut them down (at least from that provider). Even if you're not prepared to deal with a worst-case scenario, you should still do what you can - and while you're doing that, grow your response capability and skills. At the very least, it seems like a business opportunity to be able to deal with the difficult cases - one could probably make a lot of $$ helping businesses with this sort of thing. Remember that we've got the same situation in the rest of our lives - a kid shooting off firecrackers is very likely to get a visit from the local cop and told not to do that, but a highly skilled criminal may be able to operate for years without being caught.
And one knowledgeable person to run it will cost you $100,000+ per year, not to mention all the legal research and effort necessary to come up with the threat response plan and policies.
That's assuming you've got a really knowledgable person - have you looked at what jobs in this area actually pay (you probably make well above average)? That's also assuming that you're dedicating 100% of that person's time to this task. David LeBlanc dleblanc () mindspring com
Current thread:
- The value of detecting neutralized threats. (was RE: IDS blah blah) John Kozubik (Jan 26)
- Re: The value of detecting neutralized threats. (was RE: IDS blah blah) Dominique Brezinski (Jan 27)
- Re: The value of detecting neutralized threats. (was RE: IDS bla Vik Bajaj (Jan 28)
- Re: The value of detecting neutralized threats. (was RE: IDS bla Dominique Brezinski (Jan 28)
- Re: The value of detecting neutralized threats. (was RE: IDS bla Joe LoBianco (Jan 29)
- Re: The value of detecting neutralized threats. (was RE: IDS blah blah) David LeBlanc (Jan 28)
- Re: The value of detecting neutralized threats. (was RE: IDS bla Vik Bajaj (Jan 28)
- Re: The value of detecting neutralized threats. (was RE: IDS blah blah) David Gillett (Jan 28)
- Re: The value of detecting neutralized threats. (was RE: IDS blah blah) Dominique Brezinski (Jan 27)