Friday, February 01, 2008

Mumbling about Scope Detection Process

Putting aside the Firewall, IPS and H/N IDS technology, or better forget about it? But now there's one question in mind, what's your answer to detection process?

Mr.Hacko : No I don't need all those crappy technologies, what I need is my 1337 skill to hunt for the bugs and fix "all of them" if they introduces serious security flow. With that I don't need detection no more.

As we are living in the world of dynamic dimensions, security is not something as simple as 1+1. There are many things that we need to take into account aside from identifying vulnerabilities in the softwares, even a single misconfigured router or whatever application can introduce the hole in the network. On the other hand, people who work in large scale environment should know that deploying anything in critical networks requires set of procedures and efforts. As well we all know there are certain issues that can't be solved by technical mean.

To me, I advocate Network Security Monitoring(NSM) as it appreciates the value of data in process of detection and I believe in perimeter security. Forget about how effective it is your Firewall, IPS or IDS such as how well it can detect and block malicious traffics, but think of what they can do to assist you in detection process, the answer is pretty simple - scoping. With scoping it reduces the network traffics you need to examine, and it might as well give you the lead for what you need to look at. It's better than finding a noodle in the haystack without clue. On the other hand, vulnerability assessment and code auditing are important too because they eliminate the security hole in application layer but not all.

If you are following security scene, you may realize most of the successful intrusions/extrusions are using known attack techniques and usually it is driven by script kiddies. While targeted attack is totally different case, it mostly happens with co-operation of insiders with careful planning and the malicious party will choose not to leave the footprint(you can't do this without insider). They can either use 0 days, known vulnerabilities or even valid account in your network to hit you since they have full compromise of how things work in your network(remember the role of insider), it doesn't matter.

Attack techniques are getting complex and dynamic today and it evolves over time, we can't rely on single defensive technology to cover our ass anymore. Therefore if you think you don't need Firewall, IPS or IDS in place, you might as well throw away vulnerability assessment and code auditing because no matter what have you done, you will still be compromised. For better security, I still believe it requires combination of different components to make it harder for the threats, but ease our detection process.

I know there are people who think Firewall, IPS or IDS are useless because they can be bypassed, but have you questioned how many companies that having gone through vulnerabilities assessment and security code audit process but they are still being compromised, I'm really curious about this.

Play your own role!

Peace ;]

No comments: