What allowed this to happen?
- "Target rich environment" (and getting richer)
- Speed/complexity of intrusions overwhelming
- Use of "Root
Kits" exceeds average sysadmin skill level
- Poor understanding of network monitoring tools/techniques
- Primary focus on restoration of service without data gathering
- Use of UDP, ICMP, and IGMP packets hard to detect/block
- Networks still built using "Pick any two: Fast, Reliable, Secure"
- Software/OSs designed with "ease of use" over security
- Short of firewalls or IDS at network borders, use "net flows"
to detect initial intrusion signature or flooding agents
(lack of tools/standards for doing this)
- Poor system/network forensic data gathering and analysis
means no idea who did what, when,
Dave Dittrich <email@example.com>
Last modified: Sat Jul 22 02:42:40 PDT 2000