On Mon, 23 Dec 2002 Valdis.Kletnieks@vt.edu wrote: :Unfortunately, this is (or should be) part of the threat model. What makes :you think that J Random Cyberterrorist is any stupider than the guys Stoll :was chasing? Because Random J Cyberterrorist would know that the probability of success and scope of damage of his action is substantially less than that of a physical attack, given the resources he has to spend on it. Also, this threat can be mitigated more cost effectively through system and network hardening than by expanding the monitoring infrastructure to be able to handle such a difficult to codify threat (in any general sense). Cyberattacks (again IMHO) are still in the realm of being opportunistic, as we have seen that given as little as $5-10,000, the resources necessary to reliably cause widespread damage are better spent on a plane ticket than a hacker. The cyberterrorist threat is based upon the exposure of network systems and the motivation of the attacker. What is not taken into account in this threat description is the other, more reliable and severe options available to someone with the same resources and motives. In the triage of sorting out what to protect and how to protect it, we can exercise lots of control over our technology, and given a limited threat model, we can be relatively successful. However, some threats are best dealt with by limiting our assets exposure to them instead of building in safeguards whose reliability is inversely proportional to their complexity. :) Thus (IMHO again) there is limited value in using what is ultimately a passive monitoring technology to combat the most agile and directed threats against the network. These agile threats being sophisticated hackers using multiple source hosts and jurisdictions, who can evade sensors and who leverage the inherant administrative overhead of tracking them. The only defense against them is to keep your patch levels current, your firewalls strict, and watch until they get lazy and make a mistake. The only way to catch them is if they use multiple sources over a short period of time with diverse attacks, thus your search token in the logs would be the timeframe. Needless to say, given the amount of cruft that sensors amass, this isn't very reliable. I have a hacker koan that expresses this problem: It does not matter who is watching if you are invisible. A sensor can only see what it is looking for. A hacker cannot be seen merely by looking. Cheers:) -- batz