RE: Are sophisticated attacks just FUD?

["Chuck Herrin" <me () chuckherrin com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would think that last week's Scob attack against Internet Explorer
is clear (and recent!) evidence that sophisticated attacks take place
"in the wild".  Also, anyone who has ever had to fire a technically
sound administrator should be aware that a motivated employee (or
worse, ex-employee) has intimate knowledge of the network and can
easily leverage that into doing some real damage.  I myself have been
a responder on multiple attacks that I consider "sophisticated" that
may have been prevented or at least noticed earlier if an IDS/IPS had
been in place.  

Maybe you should set out an attractive, fairly well-secured honeypot
and come back in a couple of weeks to show him that while most of the
attacks were Skiddies, some are worth investing $$ into preventing. 
If you make the target attractive enough, the h4x0rs will come.  Just
a matter of time.

Chuck Herrin, CISSP, MCSE, CEH

All outgoing correspondence is digitally signed.  Lack of a digital
signature indicates possible forgery. 
Get my public key at www.chuckherrin.com/ChuckHerrin.asc

- -----Original Message-----
From: Joshua Berry [mailto:jberry () PENSON COM] 
Sent: Wednesday, June 30, 2004 9:36 AM
To: Sam Heshbon; focus-ids () securityfocus com
Subject: RE: Are sophisticated attacks just FUD?


You cannot point to the firewall as evidence that you are never
targeted in a large network.  What about across VPN connections, or
inside attacks, or if you are large enough you probably have
Point-to-Point connections with other offices, vendors or customers. 

Also, just because you do not know of a breach does not mean that one
has not occurred.  This would hopefully be part of a sophisticated
attack: not getting caught, or at least for some time.

- -----Original Message-----
From: Sam Heshbon [mailto:sheshbon () yahoo com] 
Sent: Tuesday, June 29, 2004 11:12 AM
To: focus-ids () securityfocus com
Subject: Are sophisticated attacks just FUD?

I had a big discussion with my boss who claims most of the IPS, SIM
and other new tools are just a hype protecting from sophisticated
threats, which only exist in labs. He thinks multi staged attacks and
so on do not often happen in the wild and shows our firewall's logs
as evidence. It is true we see mostly worms.(NMAP) scanning happens
once in a while, but he claims it's a script kiddy and the fact we
have never seen a breach means it is not a real threat (we run a
large network operation). I'm looking for statistical data showing
how frequent sophisticated attacks and advanced tools are evolved and
what there damage is to the corporate. If anyone knows of a research
showing if this is FUD or a real problem, I'd love to prove him wrong
(I'm willing to admit I'd be happy to have some new toys ;)



        
                
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail 

- ----------------------------------------------------------------------
- --
- ---

- ----------------------------------------------------------------------
- --
- ---


- ----------------------------------------------------------------------
- -----

- ----------------------------------------------------------------------
- -----



-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBQOQ0QabL2AcPBTOlEQKN5wCgyg7yLiCj1/WXQHf7rPm9tD0/reAAn3gV
nQLjYg6ZKr4UBXZqnI562YCO
=YAWi
-----END PGP SIGNATURE-----



---------------------------------------------------------------------------

---------------------------------------------------------------------------