There's a hole in your network and you're not the first to know...

In the words of the great poet, David Brent (from The Office), “If you can keep your head when all around you have lost theirs, then you probably haven’t understood the seriousness of the situation.”

Years ago, whilst participating in a military exercise I got caught putting the kettle on at the precise moment we were supposedly under attack from an imaginary enemy. Little wonder my military career never went anywhere. It was a great cup of tea though.

The lack of a visible enemy can often make it difficult to justify imposing controls. This is particularly true of network security. Just because nobody has noticed something bad happening doesn’t mean that it hasn’t. In a blog entitled Dumb Luck IS a Strategy! , Anton Chuvakin makes the excellent point that if you discover a hole on your network it’s highly likely that the same hole has already been found with a variety of probable unseen consequences such as a bot being deployed or a data breach.

This view is supported by work done by various Honeypot projects. For example, follow this link to read about how a vulnerable Win32 system has life expectancy not measured in months, but merely hours.

Of course, we first need to know for ourselves that there’s actually a hole in the network. Regular scanning is one approach, and I’m sure that Anton will agree that reviewing logs is another. Both require use of somebodys time and resource, and are exactly the types of task that quickly become useless unless the scan reports and logs are actually analysed by somebody who knows what to look for.

Once again, we see the problem is people, not technology.