RE: Attack Paradigm Shift? So focus on the DZ not the DMZ!

["Ken Kousky" <kkousky () ip3inc com>]

We should be paying attention to several important points here - first,
exploits used by mass attacks can be replicated and used successfully in
Q=1 (quantity one) attacks without producing a discoverable signature so
there is every reason to believe that exploits will be similar. Second,
many defense devices fail open when flooded or under other forms of
attack. Where internal systems touched and Trojans placed during
Slammer? Finally, good defenses (best practices) should be capable of
warding off both types of attacks. 

We try to focus clients on the Defense Zone, not the DMZ. The DZ is
composed of all of the systems that can be touched, in and out of the
perimeter. The DZ defense is much more complex than simply plugging the
internet access with firewalls. 


I think we're working in the right direction when we get beyond AV, VPNs
and firewalls... and that will require a paradigm shift in understanding
attacks and the weakness in our current Maginot Walls we call
perimeters.

KWK
-----Original Message-----
From: Roger A. Grimes [mailto:rogerg () cox net] 
Sent: Wednesday, May 21, 2003 4:22 PM
To: Andrew.Patrick () kemperinsurance com; honeypots () securityfocus com
Subject: RE: Attack Paradigm Shift?

Well, certain attacks like Slammer, Nimda, most worms and viruses, and
any
other sort of scanning or randomly traveling piece of malware, are by
nature
not targeting any one specific company.

Of course, maybe the cracker is trying to target one host and is using
the
wide-spread attack as a ruse (i.e. liken to the case of the lady who
killed
8 other innocent people in her successful effort to kill her husband in
the
one of the Tylenol-poisoning cases in 1982).

Roger