[Discuss] DNS question about DNSENUM.PL

[Rich Pieri]

--On Thursday, March 28, 2013 5:17 AM -0400 John Abreau <abreauj at gmail.com> 
wrote:

> Most 14-year-old first-time burglars are not professional locksmiths.

Perhaps not, but the tools available to a 14-year-old first-time burglar 
today are much more sophisticated than they were when I was 14. The 
first-timer today may not need to be able to identify a lock manufacturer 
by sight. Similarly, a script kiddie today doesn't need to be able to 
identify a target OS. The tools he uses do that for him.

Or, you know, he just breaks in through a window.

That's what I find so amusing about security discussions like this. So many 
get caught up with the idea of keeping attackers out or slowing them down 
without really thinking about how to protect what's actually of value.

The right way to secure a public-facing server is to start by assuming that 
it will be compromised. An attacker -- be he a script kiddie or a pro 
turned black hat -- will find a way in regardless of what you do. 
Obfuscation is therefore pointless. I've already made the assumption that 
an attacker will cut through the fog. All obfuscation does is inconvenience 
my users and make my job that much harder.

Once you've made this assumption you can focus on detection and 
containment. Detection so that you are notified quickly when the server has 
been compromised. Containment to limit what the attacker can do once he has 
compromised the server.

That's not to say that security on the server should be ignored. That's 
silly. I don't want to make it easy for attackers to get in. Rather, it's 
that the server is treated as part of the whole security system rather than 
the thing being protected. Anything worth protecting shouldn't be on a 
public-facing server in the first place.

-- 
Rich P.