|
IDS
mailing list archives
Re: IDS testing methodologies
From: "Stephen P. Berry" <spb () meshuggeneh net>
Date: Fri, 02 Jan 2004 14:11:55 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Alvin Oga writes:
in my book ... ( small world ) .. an IDS is not very useful, because, the
cracker is already in your network ... game over ...
I couldn't agree less.
If the history of information security has taught us anything, it is that
any system can be compromised, and that any code---OS, application, script,
or whathaveyou---will eventually be found to contain exploitable bugs.
What does this tell us? It tells us that relying entirely on prevention
is not a long-term survivable strategy. Any sane information security
policy must (with the exception of a few goofy border cases) rely on:
-Prevention (keeping the bad guys out)
-Auditing (situational awareness)
-Containment (controlling the failure mode and limiting exposure)
-Remediation (damage control after the fact)
To rely on anything else is to rely on voodoo and wishful thinking.
I won't bore the list with a more long-winded discussion of this point,
but it strikes me that working as a wee sysadminling back in the days
where your MTA -was- sendmail(8) and your DNS -was- bind was probably
very good at teaching some of us the importance of not relying entirely
on prevention as a security strategy. It's now, what, fifteen years
after the Morris worm?
Whenever I hear a security professional talk about a compromise being `game
over', I wonder what they -do-.
- -spb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (OpenBSD)
iD8DBQE/9eyJG3kIaxeRZl8RAvr5AJwLUioeUituD98cUZYjBE9iDFjBwwCgs9Xb
zsp4DCpCW9ziaxC3Q0ecHQw=
=q+Zr
-----END PGP SIGNATURE-----
---------------------------------------------------------------------------
---------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
- Re: IDS testing methodologies, (continued)
|
Intro
