Re: Moving from Defense to Offense (or vice versa) to secure your network

From: Frederic Charpentier (fcharpen_at_xmcopartners.com)
Date: 11/27/05

  • Next message: Bob Radvanovsky: "Re: Moving from Defense to Offense (or vice versa) to secure your network" 
    Date: Sun, 27 Nov 2005 17:59:05 +0100
To: pen-test@securityfocus.com

    Hi Erin,
    I always switch between these two points of view. My experience shows me
    that the best way to improve the defense is to try to think as real
    attacker and so block the attacks on the first line.

    3 small examples :
    - On a web site. Every attacker will try to request the uri /admin/. You
    could then put a passwd.bak file in this directory. But, in this file,
    instead of list a user/pwd, you put a message like "We log everything
    and call the law enforcement for each tries".

    - Modify your banners with crafted system/release. On a postfix, you can
    define the banner with "OS/390 SMTP GW".

    - For dynamic scripts (or on your reverse-proxy), if the system gets a
    input with a 'quote' (like "script.jsp?param=anything'anything"), the
    server could return a message telling that "sql injection is forbidden
    and all attempts are logged and traced" or banish the ip address for
    20sec every 2 attempts.

    These examples could seem "kiddies things", but if a real hacker tries
    to penetrate your systems, he could be really disappointed by these
    tricks and pass his way on another website.

    Another difference between the "offense" and the "defense" methods is
    that the 'offense' method is cheaper than the "defense thinking". No
    need to buy expensive editor products (which are often bullshits for
    people who think that their security level depends on how many firewalls
    they have).

    Of course, the "defense think" is important (crypto, user's rights,
    firewall), but a bit of "offense think" is not expensive and improves
    the overall security level.

    Fred.

    Erin Carroll wrote:
    > All,
    >
    > I was having an interesting discussion with a coworker the other day about
    > the differences between pen-testing (offense) and network security work
    > (defense) which we do in our day jobs. The majority of my security
    > background has been from a penetration standpoint so the way I view network
    > security defense setups and priorities tends to be of the "how would I break
    > this and get in" viewpoint rather than the "how do I secure this and ensure
    > reliable reporting/monitoring" view that my coworker is more centered on.
    > The differences in the priorities and methods we would choose to secure our
    > network for defense was much different than I anticipated.
    >
    > So I was hoping some list members would share some similar experiences with
    > us. How many of you have switched between offense/defense and what were some
    > of the stumbling blocks or key differences you found in how you approached
    > your goals? Is it worth it to cross-train in some manner? How have you sold
    > someone on the advantages of penetration-testing your network to quantify
    > and test the effectiveness of your existing defenses?
    >
    > I would be interested to hear some cases you have run into out there.
    >
    > --
    > Erin Carroll
    > "Do Not Taunt Happy-Fun Ball"
    > 

    -- 
Frederic Charpentier - Xmco Partners
Security Consulting / Pentest
web  : http://www.xmcopartners.com/tests-intrusion.html
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
  • Next message: Bob Radvanovsky: "Re: Moving from Defense to Offense (or vice versa) to secure your network"
    • Quantcast