>
> Joshua Chamas wrote:
>
> > I am new to sysadmin & security, and with a www site soon to
> > launch, I have found the mild scans that hit my subnet don't
> > really have much meat to them. What I'm looking for in
> > creating a contest to hack the site is in part a crash course
> > in dealing with hackers trying to break into my system, so that
> > when the real site is live I will be more seasoned. I would
> rather
> > not have my first experience in a successful intrusion when
> > things matter.
>
First off, how much are you looking to spend? Do you want to offer a few
hundred as a prize? A couple of $k? Maybe a some hardware?
If you can afford to have a Professional Penetration/Assessment team scan
your system go for it. But unless you have some serious money available the
best your going to get are some people 'claiming' to be security experts
running scanning software and dumping the report on you.
I would suggest scanning some of the mailing lists and making a specific
request for someone to attempt to penetrate. Since you don't claim to have
everything locked up tightly I wouldn't publicly broadcast a message
otherwise you will probably be nailed with Denial of Service just from the
amount of script kiddies running their scanners against your site.
If you were REALLY confident you have locked down your site and you know it
can handle quite abit of traffic nailing it then you can always offer it to
the public. I would rather post a couple of messages requesting people to
respond to a potential website security assessment and then pick and choose
from them.
> Even better reason *NOT* to have a contest. You can have some penetration
> testing done by a security professional in a *controlled* manner. That way
> you can simulate an attack on your site. And not only portscanning and
> script kiddie's attacks, but also the more sophisticated attacks. It is
the
> latter you probably won't see in a contest and you will not know how to
> recognize one when the contest is done. So: get in a professional security
> penetration service (or whatever...)!
>
> (hmm.... I have to admit that nowadays a lot of such services are being
> offered by "professionals" while in reality they are not much more than
> script kiddies themselves....But that's the universal problem of
"seperating
> the wheat from the chaff" and is another discussion....)
I agree. A CISSP doesn't prove that the person is capable of cracking a
system anymore then an MCSE proves the person is capable of administrating a
large NT network. Get quotes from various teams and request to see what
their plan of attack is and compare it to the others.
>
> > I am not looking to "prove" the security of the site to myself
> > or others. I understand that if someone where good enough
> > and spent enough time, he or she _would_ break in. I don't
> > think that ours is a site that will ever be interesting enough
> > to warrant that kind of attention, so it will not matter
> > that we don't get the best of the best trying to break in, from
> > a little contest with a pitance for a reward.
>
Security through obscurity is no longer a viable option. With scanning
tools that cover such wide ranges as what is available today, there is no
hiding. Many sites are not hacked because they are important. They are
hacked because someone with a nifty vulnerability scanner happened to scan
the network range they website is located on.
> Maybe not, but don't underestimate it.... Many times it's not a matter of
a
> site being interested enough, but a site just being there....
>
> > There is also the argument that a contest will never be as
> > thorough as a good audit. While I agree, we don't really
> > have the budget to get any more auditing than what I can
> > do personally. This self provable security is inherently
> > flawed... its like playing chess against yourself, never being
> > more than one move ahead in the game, and ending in a draw.
>
> Yep..... I must admit, audits can be expensive.... But there's a lot you
can
> do yourself: follow the (nt)bugtraq, get the tools, get the FAQs, etc.....
> There's nothing mystical about security... It's common sense and know
where
> to get the right information....oh... and maybe more important: get to
know
> your systems! Do not just use default system parameters settings, do not
> copy manual's examples settings, don't be afraid to get your hands
dirty....
> you can push the limits while playing chess against yourself ....
>
> > If I can get just a couple ok hackers as the result of
> > running a contest, even "script kids" if they have enough scripts,
> > I might close a couple holes and have that much better
> > security as a result. These are holes that I myself
> > wouldn't find, since if I knew about them they wouldn't exist.
>
> Maybe so..... but you said in your initial posting that you spend a lot of
> time on system security, so if you spend your time well, I assume you have
> closed the script-kiddie-vulnerabilities by now... Really, I don't think
> such a contest has much added value...
>
> Gr. Arjan
>
> **********************************************************************
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote also confirms that this email message has been swept by
> MIMEsweeper for the presence of computer viruses.
>
> www.mimesweeper.com
> **********************************************************************
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
