Re: Moving from Defense to Offense (or vice versa) to secure your network

[Frederic Charpentier <fcharpen () xmcopartners com>]

Hi Erin,
I always switch between these two points of view. My experience shows me 
that the best way to improve the defense is to try to think as real 
attacker and so block the attacks on the first line.

3 small examples :
- On a web site. Every attacker will try to request the uri /admin/. You 
could then put a passwd.bak file in this directory. But, in this file, 
instead of list a user/pwd, you put a message like "We log everything 
and call the law enforcement for each tries".

- Modify your banners with crafted system/release. On a postfix, you can 
define the banner with "OS/390 SMTP GW".

- For dynamic scripts (or on your reverse-proxy), if the system gets a 
input with a 'quote' (like "script.jsp?param=anything'anything"), the 
server could return a message telling that "sql injection is forbidden 
and all attempts are logged and traced" or banish the ip address for 
20sec every 2 attempts.

These examples could seem "kiddies things", but if a real hacker tries 
to penetrate your systems, he could be really disappointed by these 
tricks and pass his way on another website.

Another difference between the "offense" and the "defense" methods is 
that the 'offense' method is cheaper than the "defense thinking". No 
need to buy expensive editor products (which are often bullshits for 
people who think that their security level depends on how many firewalls 
they have).

Of course, the "defense think" is important (crypto, user's rights, 
firewall), but a bit of "offense think" is not expensive and improves 
the overall security level.

Fred.

Erin Carroll wrote:
> All,
>
> I was having an interesting discussion with a coworker the other day about
> the differences between pen-testing (offense) and network security work
> (defense) which we do in our day jobs. The majority of my security
> background has been from a penetration standpoint so the way I view network
> security defense setups and priorities tends to be of the "how would I break
> this and get in" viewpoint rather than the "how do I secure this and ensure
> reliable reporting/monitoring" view that my coworker is more centered on.
> The differences in the priorities and methods we would choose to secure our
> network for defense was much different than I anticipated.
>
> So I was hoping some list members would share some similar experiences with
> us. How many of you have switched between offense/defense and what were some
> of the stumbling blocks or key differences you found in how you approached
> your goals? Is it worth it to cross-train in some manner? How have you sold
> someone on the advantages of penetration-testing your network to quantify
> and test the effectiveness of your existing defenses?
>
> I would be interested to hear some cases you have run into out there.
>
> --
> Erin Carroll
> "Do Not Taunt Happy-Fun Ball" 

--
Frederic Charpentier - Xmco Partners
Security Consulting / Pentest
web  : http://www.xmcopartners.com/tests-intrusion.html


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------