Re: The value of detecting neutralized threats. (was RE: IDS blah blah)

[David LeBlanc <dleblanc () mindspring com>]

At 01:29 PM 1/26/99 -0800, Dominique Brezinski wrote:

> OK, here is a classic example of theory versus practicality.  I agree in
> theory with John.  I personally want to know every time someone tries to do
> anything to my network that is not in my best interest.  However, the
> practicality of analyzing every possible threat is way beyond the means of
> most organizations (and individuals for that matter).  

I've seen several new exploits come to light because someone was logging
traffic to machines when they crashed.  There is some value in collecting
the data even if you do not use all of it to full potential.

> Security is about risk reduction, not threat annihilation.  

A threat which has been annihilated is no longer a risk 8-)

Seriously, if more script kiddies got busted to some extent, maybe there
wouldn't be quite so many of them.

> It is not a matter of cost but of capability.  Few organizations have the
> staff with the skills and understanding necessary to have a functional
> threat detection capability.  There are many policies and procedures that
> go with threat detection that few ever think about: response policy,
> evidence handling and integrity, escalation procedures, information
> containment, and appropriate external contacts.

> When and how do you respond to a possible threat?
> Do you shut critical systems down?
> Do you attempt to trace the connection back? How?
[more good questions snipped]

All of this is assuming a worst-case scenario where you've got a skilled
attacker who is effectively covering their tracks, and the attack is of a
magnitude where you are concerned about prosecution.  Under those
conditions, it is indeed a lot of trouble.  However, for a majority of
cases, you've got some script kiddie coming at you from an ISP or a dorm
room, and they are looking for Back Orifice on all of your UNIX and NT
boxes <g>.  When that's what is going on, it frequently only takes one call
or e-mail to the admin to shut them down (at least from that provider).
Even if you're not prepared to deal with a worst-case scenario, you should
still do what you can - and while you're doing that, grow your response
capability and skills.  At the very least, it seems like a business
opportunity to be able to deal with the difficult cases - one could
probably make a lot of $$ helping businesses with this sort of thing.

Remember that we've got the same situation in the rest of our lives - a kid
shooting off firecrackers is very likely to get a visit from the local cop
and told not to do that, but a highly skilled criminal may be able to
operate for years without being caught.

> And one knowledgeable person to run it will cost you $100,000+ per year,
> not to mention all the legal research and effort necessary to come up with
> the threat response plan and policies.

That's assuming you've got a really knowledgable person - have you looked
at what jobs in this area actually pay (you probably make well above
average)?  That's also assuming that you're dedicating 100% of that
person's time to this task.


David LeBlanc
dleblanc () mindspring com