"Since exposure time reductions will reduce the time an intruder has to do damage, the intrusion tolerance approach is likely to provide additional advantage."

While I agree that some of this is a good idea I would like a better explaination. Using the quote from the article I wonder how effective this idea really is when a hack typically only takes a few seconds at most? True, transferring the data will be slowed down but the current data theft strategy is assumed to be slow on purpose anyway to avoid detection. So what if the attacker can only transmit the contents of a hacked database for a shorter duration in a given timeframe. The damage is still done and odds are still noone knows the attackers code is there.

Detection, in my real world, is still 98% more valuable than prevention. The base assumption is that a system is or will be hacked. No if,ands, or buts. A change in the current security framework/best practices will only cause a slight change in attacker strategy. As this change is documented the attackers have something to attack. An example: Think back to when everyone began installing firewalls which by default, (and still do), allow everything out and nothing in. This slowed things down for a very small period of time. Very quickly all of the attacks were modified to account for this and included a reverse tunnel of some nature for the attacker to control the hacked box.

Given this why are we still trying to improve our completely flawed methods or frameworks? Defense in depth is great. How about a framework that instead assumes a compromise and controls the information though devaluing techniques and such.

Stop building castles! They have not worked for thousands of years nor will they ever work!

Just my 2 cents!...

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/infocus/1896/1043#1043