The article isn't without its merit for interesting and creative ideas, but in
larger environments where SOX, defined outage windows, and change control are
king, this would never fly. And agreed, this would be neat if you had a
security team with time to do these kinds of things, but there's no way you
could squeeze in comprehensive analysis of your "fake" targets in a normal day.
Let's give him credit, it's food for thought though :)
From: [email protected]
[mailto:[email protected]] On Behalf Of Michael Lubinski
Sent: Tuesday, July 05, 2011 10:53 AM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] What say you!?
The response predicted was the response received, I now know I'm not off my
rocker at least.
On Tue, Jul 5, 2011 at 10:05 AM, John Strand
<[email protected]<mailto:[email protected]>> wrote:
lol
On Tue, Jul 5, 2011 at 8:58 AM, Mike Patterson
<[email protected]<mailto:[email protected]>> wrote:
HOW IS SEKURE NETWORK FORMD
>:\
On 2011/07/05 10:31 AM, John Strand wrote:
> Mike,
>
> Are you new here?
>
> I kid, I kid.
>
> John
>
> On Tue, Jul 5, 2011 at 8:20 AM, Mike Patterson
> <[email protected]<mailto:[email protected]>> wrote:
>
>> On 2011/07/05 9:08 AM, Ron Gula wrote:
>>> On 7/2/2011 11:41 AM, Michael Lubinski wrote:
>>>> Read:
>>>>
>> http://blog.zeltser.com/post/6479619232/protean-information-security-architecture
>>>>
>>>> Knowing this list has a significant amount of pen testers and such, what
>>>> say you?
>>>>
>>>>
>>>
>>> I really like the emotion behind this concept, but don't like this for
>>> practical reasons.
>> [..]
>>> I don't mind at all having fake targets on the inside of your network,
>>> but the idea of constantly reconfiguring the data structures and servers
>>> as a method to thwart pen testers is no substitute for patching, tight
>>> inbound/outbound ACLs, network monitoring and log analysis.
>>
>> My first thought was "it must be nice to have the kind of free time
>> after doing. . ." everything you say, and more, including convincing
>> sysadmins that yes, the firewall really is there to help you and yes,
>> you really do need to figure out precisely how that workstation got
>> popped and writing documentation and helping others to do the same and
>> responding (or actively ignoring) RIAA/MPAA complaints and figuring out
>> if the lack of IDS logs is because of a NIC failure, driver bug, OS bug,
>> disk failure, something else, going to meetings with your co-workers or
>> management... all the other stuff blue-team IT types do on a daily
>> basis. Or would, if they had 48 hour days.
>>
>> And THEN, when you DO have that kind of time, you get to spend MORE time
>> ensuring that your new honeypots don't actually become a vulnerability
>> themselves. While you convince management that they're necessary, and
>> try to assuage the fears of NOC monkeys, and...
>>
>> OK, yeah, confusing the attacker's well and good, but unless you've got
>> all the other ducks in a row, you might be finding the root of all evil
>> - premature optimisation. Lenny's idea is nice in theory, but in
>> practise, I think it belongs near the bottom of the priority list.
>>
>> Mike
>> _______________________________________________
>> Pauldotcom mailing list
>> [email protected]<mailto:[email protected]>
>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>> Main Web Site: http://pauldotcom.com
>>
>
>
>
>
>
> _______________________________________________
> Pauldotcom mailing list
> [email protected]<mailto:[email protected]>
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
[email protected]<mailto:[email protected]>
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
--
John Strand
Office: (605) 550-0742<tel:%28605%29%20550-0742>
Cell: (303) 710-1171<tel:%28303%29%20710-1171>
_______________________________________________
Pauldotcom mailing list
[email protected]<mailto:[email protected]>
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
******************************************************************************
This email contains confidential and proprietary information and is not to be
used or disclosed to anyone other than the named recipient of this email,
and is to be used only for the intended purpose of this communication.
******************************************************************************
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
