Penetration Testing mailing list archives
Re: Moving from Defense to Offense (or vice versa) to secure your network
From: Byron Sonne <blsonne () rogers com>
Date: Sun, 27 Nov 2005 11:14:51 -0500
I was having an interesting discussion with a coworker the other day about the differences between pen-testing (offense) and network security work (defense) which we do in our day jobs. <snip> I would be interested to hear some cases you have run into out there.
I started in the defensive camp and moved to the offensive camp. Was just plain easier and more interesting.
The situation, I think, is highlighted quite nicely by the hobby of lock picking. As a kid I held people that could pick locks in almost the same regard as magicians, 'cos I couldn't do it and therefore couldn't get my mind around the whole deal. Flash forward a couple decades later and I finally buy myself a set of lock picks, and subsequently find out that it's the easiest thing in the world. Scary thing was, almost everyone I passed the kit to turned out to be better than me. Flat out, you're not going to get every lock. But you will get most.
If a man can make it, a man can break it. A good admin has to defend against every single attack succesfully. An attacker only needs to get that one way in that one time. The pay off and risk compared to effort and exposure always favours the attacker. So, why not operate in the attacker mode too? Instead of investing in the greatest locks for your building according to industry heads and 'independent' magazines, go around and try to pick your own locks instead and *know* the actual state of your defenses.
The metaphor falls down competely in other regards, but what can you do. In reality, the proper mix is going to be both defensive and offensive.
------------------------------------------------------------------------------Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Moving from Defense to Offense (or vice versa) to secure your network Erin Carroll (Nov 26)
- Re: Moving from Defense to Offense (or vice versa) to secure your network James Eaton-Lee (Nov 27)
- Re: Moving from Defense to Offense (or vice versa) to secure your network Byron Sonne (Nov 27)
- Re: Moving from Defense to Offense (or vice versa) to secure your network Frederic Charpentier (Nov 27)
- Re: Moving from Defense to Offense (or vice versa) to secure your network Bob Radvanovsky (Nov 27)
- RE: Moving from Defense to Offense (or vice versa) to secure your network Erin Carroll (Nov 27)
- <Possible follow-ups>
- RE: Moving from Defense to Offense (or vice versa) to secure your network Evans, Arian (Nov 28)