<br><br><div><span class="gmail_quote">On 11/13/06, <b class="gmail_sendername">Paul Melson</b> <<a href="mailto:pmelson@gmail.com">pmelson@gmail.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
-----Original Message-----<br>Subject: Re: [Dailydave] "The organization I belong to doesn't have<br>initals"(that evil dude in Heroes)<br><br>That's a misleading way to frame the conversation, don't you think? A
<br>pen-test isn't supposed to answer the yes/no question, "Can you be hacked?"<br>It's supposed to ask the open-ended questions, "How can you be hacked?" and<br>"How can you fix it?"</blockquote>
<div><br>The answer to "How can you fix it?" relies on partially what Dave is saying. You basically need a 2 tiered game plan. One; have a separate network for Internet, email, browsing and such similar junk (segmentation). Two; build and manage a skilled in house penetration/research team or have a permanent consultancy gig with a company like Immunity (continuous assessment). All the other options are futile and a total waste of money. Other options you ask ? First there was the IDS which nobody serious enough does offer as a security solution anymore, wisely enough. Than there was the HIPS; eeye, determina, entercept etc. which was also proven to be just another security hoax in every sense to it. And finally something more meaningful arose from the industry; Virtualization. VMs per nodes (internet, corporate etc.) yet another segmentation idea which in my personal belief will eventually be broken as well in the next 2 to 3 years time frame and would be the next most joyful hacking/REing gig for any serious researcher. So back to the real hardware segmentation business along side with a dedicated team of researchers for auditing everything on the public segment is the only viable and real solution.
<br><br>A lot you might feel like i piss in your cup of tea or something. Please leave the corporate puppeteering behind and think twice. If you are in the IDS business you expired well over 10 year by now, if you are in the IPS business well lets say you made sense in the early 2000s but not anymore. Virtualization, yeah quite a fresh start but wonder how long will it survive till the first batch of attacks reveal themselves (not necessarily publicly though) ...
<br><br>If you did not like what I just said and work or own a security company making one of mentioned type of product, I urge you to put your product to the test! Any decent prize money would do but remember real 0day that a hacker would be OK to reveal, given the right terms, does not go with the ZDI/idefense standards, they are much precious than that and requires a much bigger pay. my prediction is any NIDS can be broken for a prize money of $30K (if asic, fpga based solution multiply by 2), any HIPS $200K - $250K, Virtualization $300K - $350K should do. I am looking forward to hear some hard cash challenges rather than the usual rants from corporate emails ...
<br><br>cheers,<br>olef<br><br></div></div>