Re: IDS testing methodologies s tart

[Alvin Oga <alvin.sec () Virtual Linux-Consulting com>]

hi ya mike

> On Fri, 2004-01-02 at 08:52, Alvin Oga wrote:
> > in my book ... ( small world ) .. an IDS is not very useful, because, the
> > cracker is already in your network ... game over ...
>
> Don't forget that once in, you still have to get him out. If the cracker
> is in, the game has only just begun. If the guy has touched more than
> one system, IDS can still play a major roll here, especially your home
> grown IDS systems that are tailored to your environment. 

yes.. yes.. .definitely... 

clarification .. "game over" was meant that the prevention and
hardening left a hole/vulnerability/exploit that was readily exploitable
by the script kiddie or determined cracker ... 

yes.. the fun definitely starts when one detects a cracked box

- i'm prefer spending my time in prevention/hardening/policy/etc vs
  "detecting the cracker"  
        - "detecting the cracker got in" implies you're cracked...
        ( too late in my book )

- costs ... lot cheaper to prevent the obvious vulnerabilities
        ... rough orders of magnitude of costs ...
        $ 0.01  prevention and hardening and security policy ( fun stuff )
        $ 0.10  ids and detecting  -- ( too many false alarms )
        $ 1.00  cleanup after compromizes - ( fun stuff )

- the clients or companies or home users paying the "it/security" budget
  can determine where they wanna spend their $$$ ....
        - i like it when they call for help to come clean things up ..

c ya
alvin


---------------------------------------------------------------------------
---------------------------------------------------------------------------