Re: Moving from Defense to Offense (or vice versa) to secure your network

From: Byron Sonne (blsonne@rogers.com)
Date: Sun Nov 27 2005 - 11:14:51 EST


> I was having an interesting discussion with a coworker the other day about
> the differences between pen-testing (offense) and network security work
> (defense) which we do in our day jobs. <snip>
> I would be interested to hear some cases you have run into out there.

I started in the defensive camp and moved to the offensive camp. Was
just plain easier and more interesting.

The situation, I think, is highlighted quite nicely by the hobby of lock
picking. As a kid I held people that could pick locks in almost the same
regard as magicians, 'cos I couldn't do it and therefore couldn't get my
mind around the whole deal. Flash forward a couple decades later and I
finally buy myself a set of lock picks, and subsequently find out that
it's the easiest thing in the world. Scary thing was, almost everyone I
passed the kit to turned out to be better than me. Flat out, you're not
going to get every lock. But you will get most.

If a man can make it, a man can break it. A good admin has to defend
against every single attack succesfully. An attacker only needs to get
that one way in that one time. The pay off and risk compared to effort
and exposure always favours the attacker. So, why not operate in the
attacker mode too? Instead of investing in the greatest locks for your
building according to industry heads and 'independent' magazines, go
around and try to pick your own locks instead and *know* the actual
state of your defenses.

The metaphor falls down competely in other regards, but what can you do.
In reality, the proper mix is going to be both defensive and offensive.

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:12 EDT