Maximum bang for minimum buck folks. If he had the money for paying high
priced 'professionals' I am sure he would. On a low budget you end up using
ducktape more often then not. Might not be pretty, might not be
'professional'...
But what is a high priced 'professional'? If I happen to have ISS in my
possession, now I can charge around $10k-$20k for an external scan whereas
all I do is input ye olde IP address into the scanner and email the report
to the customer. If I am real nice I may print it out, stick it into a
binder with my fancy Corporate Logo, burn a CD with all of the results, and
mail it to the customer.
Many of these 'professional' companies that use people who know enough to
actually penetrate systems are employing 'hackers'. It has been proven over
and over again. InfoSec is such a high comodity right now that companies
are hireing almost anyone to fill team positions. They in turn don't pay
the employees a reasonable amount of money yet charge a huge price for the
'professional' evaluation. So now your paying a high price to a company who
is going to take unhappy lowlevel employees and have them run automated
scans against your system.
ScriptKiddies. Blahhhh. There are many immature people out there that will
snag the latest mscan or phf scanner and use that to crack a system. But
there are also interested security people that will acquire a set of tools
(I liked the correlation to a carpenter, kudos to Rich) and run those tools
against a designated target. Sometimes they might not know enough to make
their own tools, but why? They understand the basics of the tools and how
to use them. And after awhile they will become unhappy with the tools and
perhaps design their own. But that is farther down the evolution chain, and
with the amount of new tools being released for free it is a lot easier to
increase the size of your tool belt and learn how to use those tools then it
is to go create your own. This is like saying your not a programmer unless
you write your own language and libraries to program in. True the end goal
is making a better tool, but just because you don't doesn't mean your not
capable of doing the job. The world has changed, 10 years ago you would
have had to create the tool to do the job, now the tool probably already
exists and is freely available.
First and foremost. Make a complete backup of the system prior to release
of the IP. Store this offsite. After letting the week or two go by take
all input provided (if any) by the attackers and all logs you have (because
you will be logging to the fullest, right?) and compile a report. Then take
the system off line and completely restore from that backup. While keeping
it offline start to implement the fixes/patches/upgrades that you now KNOW
need to be added. True you may not get everything, but all
trojans/backdoors that may have been introduced will now be gone and
hopefully many of the potential vulnerabilities will be closed down.
----- Original Message -----
From: rich <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, March 31, 1999 10:36 PM
Subject: Re: Hacking Contest ?
> Ok, I have to get in on this one --- as my curiosity is peaked...
>
> As many of you brought up -- how, other than the obvious
> contest, or similar, do you weed out the kiddies from the
> hackers?
>
> The reason I would ask this is simple -- Is someone who uses
> a hammer to pound a nail into a board a "kiddie" or a carpenter?
> Would you expect the carpenter to know which "tools" work for which
> task? I would.
>
> Now, just because someone uses "tools" does not make them a
> "kiddie" (or does it, that is what I am asking). The real test, IMHO,
> is what you are able to do with the results of these tools.
>
> This is also where you benifit. If I want to hire someone and they
> can prove to me they know what the results from nmap, nessus, ogre,
> etc, really means and can do something with it to shore up my server,
> then, call them a script kiddie if you wish, but to me they have simply
> shown that they know how to use tools.
>
> I would not expect a carpenter to "assemble the hammer" first, before
> putting a nail in a board...
>
> But, this is a question, and issue I would like to open up to discussion,
as
> I believe it directly relates to the problem of the hacking contest..
>
> ( But then I could be wrong... I have been before.. *smile* )
>
> regards,
> r
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
