Pen testing and incidents

I was reading the latest information security mag and came across the face off column that Marcus Ranum and Bruce Schneier have. For those that haven't read this column before, the name of it "face off" tells you what it's all about.

It wasn't so much what they were debating that got me thinking, but rather it caused me to reflect back on a comment I once heard. I was sitting in a Hacking By Numbers session put on by SensePost. If you haven't had the opportunity to check them out, it's definitely worth it and the tools are great too. Anyways, it was during this session that we got in to a discussion about speed vs stealth of attacks on networks and systems. The old school of thought was that it was best to be stealthy while attacking networks. Making heavy use of IDS evasion techniques, clearing logs etc was the order of the day. After talking to these guys a little, then comparing what was said to the attacks I've seen and dealt with, the exact opposite is true. Speed seems to be the best option for many attackers, who cares if you splatter logs, the chances of being prosecuted for infiltrating a network is slim at best. If there was one thing worth remembering from the HBN session, it was something the instructor said...

"Stealth doesn't matter that much, I can set off your alarms 100 times or more as long as I accomplish my objective. I can screw up as many times as it takes to achieve my goal. You guys or your system administrators can only mess up once."

When I talk to sysadmins about incident preparation and detection I usually bring this up because the point is, we are up against a determined enemy and when it comes to protecting our networks and systems we need to be just as vigilant about protection as they are about accomplishing their objective.