Friday, February 26, 2016

Repeat after me - port scanning is not hacking

I feel stupid from even having to say this (again) but port scanning is not hacking.  I read this article yesterday and lost a few brain cells.  Look - for the 100th time, just because you got port scanned doesn't mean you got hacked.  And stats like "300 million attacks per day" don't help anybody.  Even if I ate lead paint chips for breakfast and somehow believe that statistic, how do I operationalize it? What do I do with this "information?"

When we use misleading statistics, we make our leadership dumber.  There's no reason to mislead management - we need them making decisions based on facts, not port scans.   At Rendition Infosec, we go out of our way to make sure that any reporting we're involved with is factual and doesn't try to mislead with inaccurate statistics.

What then constitutes an attack?  
This will likely cause someone to tell me I'm wrong, but I'm not sure we'll ever reach a consensus on what constitutes an attack.  Take for instance some of these examples:

  • Your find evidence in your Apache logs that someone scanned for IIS vulnerabilities
  • Port scans against your firewall
  • Unsuccessful sqlmap attack attempts against a web server
  • Attempts to log in to an FTP server using the anonymous account 
  • Attempts to log into telnet using root/password combination
  • Thousands of login attempts over SSH from a single IP address over a 24 hour period

Which of these are attacks?  I don't profess to have all the answers.  What I know for sure is that each port scan isn't an attack.  When nikto is run, each attempt to reach a web page doesn't constitute an attack.  Each port scanned is not an attack.

The bottom line is that we need to select intelligent metrics.  In the community, we may disagree on what those metrics are, but two things are critical.
  1. When reporting within the organization, be consistent with how you generate your numbers. Changes  in methodology skew your stats.
  2. When reporting outside the organization, be transparent with how you generate your numbers.  If you have a new iPad and I offer you 1000 coins, that's a bad deal for you if the coins are pennies, but a good deal if the coins are silver dollars. Talking about "attacks" without context is like offering someone "coins" to buy goods.  You'll look like you're trying to hide something, because you probably are.
While this problem is widespread in our industry, I expect NSA to know better and stop spreading around useless hyperbole.  If NSA can't be bothered to get the facts right about cyber attacks, the rest of the industry has little hope.


  1. This comment has been removed by a blog administrator.

  2. This comment has been removed by a blog administrator.

  3. I'm using Kaspersky Anti virus for a couple of years now, I would recommend this product to everybody.


Note: Only a member of this blog may post a comment.