Security Incidents mailing list archives
Re: A slap on the wrist...?
From: "Greg A. Woods" <woods () weird com>
Date: Thu, 31 Aug 2000 19:28:04 -0400
[ On Thursday, August 31, 2000 at 07:59:51 (-0400), Daniel Medina wrote: ]
Subject: Re: A slap on the wrist...?[ On Sunday, August 20, 2000 at 21:59:23 (+0100), Nexus wrote: ]Subject: Re: A slap on the wrist...? Am I missing something here, or is that fact that a scripted, sequential single portscan getting dropped by a firewall a non-issue in the grand scheme of things ?All you're missing is probably just the fact that there are a lot of overly paranoid, trigger-happy, dudes on this list who don't yet really know how to tell the difference between a real threat and a lamer speeding by in a hot-rod on the next street over...Still, when you have a security policy, you have to stick to it. You can't easily decide what the real threat is and what is not, so it's better to be hig-strung I think than laid-back. If I know someone is going through my garbage, even if it's just junk, I'd still consider it an invasion of privacy...same goes for this situation.
OK, since you chose the analogy let me expand on it a bit in hopes of providing a basis for reducing the excessive overflowing paranoia that some people seem to feel every time their firewall logs a packet that wasn't specifically and directly authorised. So, yeah, someone's poking in your garbage bin. That doesn't mean you go out immediately and arrest him for no other reason. You still have to correlate other factors that will corroberate your theory that this person is indeed a threat and not just the kind of person who pokes through everyone's garbage looking for nice shiny objects of only artistic value. If he's shady looking (eg. too well dressed, has a gun in his belt, etc.), and isn't also poking through the garbage of the restaurant next door, and perhaps has been observed wiggling your door handles in the past, etc., etc., etc., then yes you might just call the cops and ask them to check him out. The same thing goes for firewall/IDS logs. Someone searching for an open port isn't in any way provably malicious, not even if they're connecting repeatedly and explicitly to your SSH or IKE port or whatever. For instance I made a typo in an IP# just this afternoon as I was trying to connect to a client's server for the first time (i.e. I expected I'd be having to accept a new key) with SSH, and I repeatedly typed what I thought was the correct password. Only after verifying the password did I notice that I'd excanged two digits in the IP#. If the guy on the other end calls the FBI (or in this case maybe the CIA since I'm not in the same country) instead of me and manages to get them to do anything about it, who do you think is going to look a little more stupid than normal after all the facts are gathered. Guess who's not going to get an immediate response from the authorities next time he calls too! I.e. even if there are active attempts to access a security-sensitive resource in a very suspicious way there's still no proof in the audit trail of that event alone that there's any malicious intent whatsoever. If the guy calls me, and if I don't respond, and if he then e-mails me, and if I still don't respond, and if I happen to make the same typo again in a day or to, then .... well I think you get the picture. Furthermore I would expect any ``professional'' Internet criminal to have learned by now that they can easily mis-direct the attentions of an IDS on some script kiddie while they go about their cracking in a much less detectable manner. I.e. if you really do have some important risks to manage then you'd better be really good at identifying the real threats you face and learn how to identify them in the midst of a wash of activity from other apparent, unidentified, threats. The longer this Internet thing continues to grow and flounder around like it's doing now, the more corroberating evidence you'll have to produce before you'll begin to get the authorities to even raise an eyebrow at any accusations of malicious intent. In other words if you're trying to "stick to" a badly written security policy then you're going to be wasting a lot of resources while the bad guys try to fool you in other ways. I believe it's better to have multi-level IDS, and not just all automated tools running on their own either. That way you can be laid back about (and thus more or less ignore) all the events that only trigger at the outer level. Once an outer trigger migrates in to a level of higher sensitivity then you pay a bit more attention, and so on. The trick is of course figuring out how to implement this kind of "system" in the scope of a reasonable and meaningful security policy! :-) -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods () acm org> <robohack!woods> Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>
Current thread:
- Re: A slap on the wrist...? Greg S. Wirth (Sep 01)
- <Possible follow-ups>
- Re: A slap on the wrist...? Greg A. Woods (Sep 01)