Issues
- Number of vulnerable systems increasing as discovery of new
holes continues and more systems are put on the Internet
- Speed of intrusion, and complexity of response, overwhelms
small incident response staff and system administrators
- Use of "Root
Kits" exceeds skill level of average sysadmin, making
response slow, costly, or entirely ineffective in many cases
- Poor understanding of network monitoring tools/techniques
slows response
- Primary focus on restoration of service without data gathering
prevents tracking attackers or understanding the attack
- Use of UDP, ICMP, and IGMP packets hard to detect/block
- Networks still built using "Pick any two: Fast, Reliable, Secure"
- Short of firewalls or IDS at network borders, about the only useful
tactic is to monitor "net flows" to detect initial intrusion
signature or flooding agents (lack of tools/standards for doing this)
- Poor system/network forensic data gathering and analysis
means no idea who did what, when, where, how...
[End]
|
[Prev]
Dave Dittrich <dittrich@cac.washington.edu>
Last modified: Thu Jul 6 14:11:22 PDT 2000