RE: Scanners and unpublished vulnerabilities - Full Disclosure

From: Ballowe, Charles (CBallowe@usg.com)
Date: 05/31/02 

From: "Ballowe, Charles" <CBallowe@usg.com>
To: 'Jon Bull' <jon.bull@knowledgelinks.com>, pen-test@securityfocus.com
Date: Thu, 30 May 2002 19:27:30 -0500

An IDS is only really effective when you know the potential risk
of a successful attack. Once something is triggering an IDS, it's
already hitting my systems. If I haven't been alerted to the nature
of that particular risk, my IDS can't be properly set up to respond,
and depending on the nature of the attack, it may be too late anyway.

If my IDS gives me an alert indicating an attempt to exploit a certain
vulnerability and searches for more information on that vulnerability
yield nothing, I'm going to start to wonder. If my IDS is coupled with
a packet capture mechanism, I'll still have the raw data that
triggered the alert. The only difference is whether I had the data
before it was in the wild or not.

Then there's the fact that IDS is a reactive technology and a scanner
is proactive. Many companies treat security breaches in a reactive manner.
This isn't the best approach and some are finally learning the lesson.
Both are needed, but it's better to know before rather than after.

Something else to keep in mind -- a security scanner need not actively
exploit a vulnerability to identify it's presence. Host based scanners
can simply check software versions/patch applications and compare to
known vulnerabilities/fixes in order to trip an alert. Network based
scanners can use network version banners to do the same thing.

-Charles Ballowe

 

> -----Original Message-----
> From: Jon Bull [mailto:jon.bull@knowledgelinks.com]
> Sent: Wednesday, May 29, 2002 9:07 PM
> To: David Litchfield; Alfred Huger; pen-test@securityfocus.com
> Subject: Re: Scanners and unpublished vulnerabilities - Full
> Disclosure
>
>
> Suggestion - Instead of making a scanner to test for a
> vulnerability that a
> Typhoon user may not be able to prevent, why not create IDS
> software to
> detect the exploit? To me this seems a more defensive,
> responsible, and
> effective role.
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • RE: Scanners and unpublished vulnerabilities - Full Disclosure
    ... The VNA seems like a fair solution. ... I would also like to further emphasize the point of proprietary IDS ... >> vulnerability and searches for more information on that vulnerability ... Many companies treat security breaches in a reactive ...
    (Pen-Test)
  • RE: IDS and Spywares
    ... > a network based security control has better visibility than a host based ... Just as we do in IDS and network traffic analysis. ... > made spyware, or trojan, or any other kind of malware where you can install ...
    (Focus-IDS)
  • RE: Recommending an IDS system
    ... Not trying to make this a Cisco commercial, but I too am very satisfied with Cisco. ... We implemented an IDSM2, sensor device, and Cisco Security Agent for Host Intrusion Prevention. ... Subject: Recommending an IDS system ...
    (Security-Basics)
  • Re: Is IDS/IPS worthless?
    ... >>firewall instead of in front of it should BOTH ... >>fill in the gap left by the false sense of security firewalls give (a ... >IDS technology and I certainly believe in the usefullness of IDS. ... that is confusing IDS and NIDS together. ...
    (Focus-IDS)
  • [NEWS] %u Encoding IDS Bypass Vulnerability (UTF)
    ... %u Encoding IDS Bypass Vulnerability (UTF) ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A security vulnerability has been found in the way many Intrusion ...
    (Securiteam)