Which takes more skill - defence or attack?

Being intentionally offensive and having been banned twice and avoided the ban hammer for the 3rd time so far certainly takes much more skill than being inoffensively additive to a discussion. While one may be more useful than another, unless your a politictian, one certainly takes more skill. However, if you are unoffensively adding to a discussion with unbiased, truthful, and offensive to some people because it strikes fear of truth into their hearts, you are even more skilled. Antagonization is a world renowned skill perfected by the democrats and older brothers everywhere.


Sorry, that post was the most meaningless, stupid post ever, but it sure as hell was fun.

Quote:

---

Originally posted here by gore
Some people seem to think defending is hard..

Home user: installs a firewall with Macfee or Norton. Done.

Attacker has to code an exploit, find a way in, use it, get admin or root, and hide his tracks.

Yea, I can see why someone would say it's harder...

---

"Home hacker:"
"Oh, geez a new tool for me attack do l33t. lemme d/l it and attack M$"

If you read the entire thread, we are not discussing this.

Please Gore, if you dont have anything to add to the discussion, just dont... post.

Quote:

---

Originally posted here by cacosapo
"Home hacker:"
"Oh, geez a new tool for me attack do l33t. lemme d/l it and attack M$"

If you read the entire thread, we are not discussing this.

Please Gore, if you dont have anything to add to the discussion, just dont... post.

---

"Which takes more skill - defence or attack?"

Hmm silly me, maybe it's not English?

And he said ATTACK. NOT DDOS. NOT some other sack of **** where no one is successfull. And who the hell are you telling me if I have nothing to add don't reply?

Average Defense:

Set up a firewall and permissions.

Average attack, Try to find a way to expoit how it was set up or the software. I don't think you understand the amount of effort that goes into an actual sucessfull attack.

OFF TOPIC:

Quote:

---

Originally posted here by gore
. And who the hell are you telling me if I have nothing to add don't reply?

---

Im am the guy that is trying to contribute to the thread and not be "funny".
If you had read carefully the thread you notice that is about enterprise, business, companies, professional hacker/crackers and professional admins.

BTW, i know what is the "average effort" to do a successfully attack. just download a tool and attack.
Or you mean the "average effort" to "create something"? I know how hard is create anything on this area, including a successfully buffer overflow. Do you? from scratch?

Again, Nobody is talking about that.
We are talking about "coders" (attackers) and professional admins (not a home user).

If you at least tried to read, before starting to be "a funny guy", i do believe that you can contribute a lot to it (because at least i think that you know something).

Quote:

---

"Which takes more skill - defence or attack?"

Hmm silly me, maybe it's not English?

And he said ATTACK. NOT DDOS. NOT some other sack of **** where no one is successfull. And who the hell are you telling me if I have nothing to add don't reply?

---

Co-sign and cacosapo that wasn't needed. Anyways, back on topic..

I think the average defense concerns more than merely setting up the firewall and it's permissions. You can't simply load up a firewall and it's settings and think you're safe. Log files must be attended to regularly, monitering, updates, etc.. Now for the average attack, it can vary from something small (running an already coded exploit on a machine) to actually going through the steps of the "Anatomy of the Hack". This was something I read on AO and on other sites awhile back:

Quote:

---

Anatomy of The Hack

Foot printing

Objective
Target address range, namespace acquisition, and gathering information are essential to a surgical attack. The key is not to miss any detail

Techniques
Open source search
Whois
Wed interface whois
DNS zone Tran sphere

Scanning

Objective
Bulk target assessment and identification of listening services focus the attacker attention on the most promising avenues for entry.

Techniques

Ping sweep
TCP/UDP port scan
OS detection

Enumeration

Objective
More intrusive probing now begins as attackers begin to identified valid user accounts or poorly protected recourse shares.

Techniques

List of user accounts
List of share files
Identify applications

Gaining access

Objective
Enough data has been collected to allow an informed attempt to access the target.

Techniques

Password eve dropping
File share brute forcing
Password file grab
Buffer overflows

note this can go straight to DOS attacks after this step or they may continue on down the chain

Escalating privileged

Objectives

If only user level access has been obtained in the last step the attacker will now seek to gain compete control over the system

Techniques

Password cracking
Known exploits

Pilfering
Objectives

The information gathering process to begin to identify access to trusted systems.

Techniques

Evaluate trusts
Search for clear text passwords

Covering track

Objectives
Once total ownership of the target is secured, hiding this fact from the systems administrator becomes paramount.

Techniques

Clear logs
Hide tools

Create back doors

Objectives

To insure that the intruder has privileged access whenever they choose.

Techniques
Create rogue user accounts
Schedule batch jobs
Infect start up files
Plant RAT's
Install monitoring systems
Replace app with trojens

Denial of service

Objective
If the attacker is unsuccessful in gaining access they may use a readily available exploit code to disable the target as a last resort

Techniques

SYN flood
ICMP techniques
Identical src/dst SYN requests
Overlapping fragment/offset bugs
Out of bound TCP options(OOB)
DDos

---

THAT takes skill, talent, aswell as time/patience.

Quote:

---

Originally posted here by cacosapo
OFF TOPIC:

---

You're dragging this off topic to tell ME not to do the same? Nice one.

Quote:

---

Im am the guy that is trying to contribute to the thread and not be "funny".

---

I'm not trying to be ANYTHING... I said what I thought about this, how you took it is not my problem, nor will it become one.

Quote:

---

If you had read carefully the thread you notice that is about enterprise, business, companies, professional hacker/crackers and professional admins.

---

You just countered yourself. You said an attacker can simply download something, now were talking about coder and admins? Hmm, when you pick which one it is we are in deed talking about you let me know and I'll reply to THAT.

Quote:

---

BTW, i know what is the "average effort" to do a successfully attack.

---

Successful, as in, rooted, not caught, logs show nothing and admin knows nothing about it. That takes a lot of things.

Quote:

---

just download a tool and attack.

---

Yea, that way it shows up in the logs.... Or better yet you accidently target the wrong system and some Windows admin wonders why a Unix shell exploit shows up in an IIS log.

Quote:

---

Or you mean the "average effort" to "create something"? I know how hard is create anything on this area, including a successfully buffer overflow. Do you? from scratch?

---

I know hex and binary and some Perl, that's enough for just about any buffer overflow. IU don't use overlows, those can be patched, but stupidity can not.

Quote:

---

We are talking about "coders" (attackers) and professional admins (not a home user).

---

Perhaps the poster should have named this thread admin VS coders then? Or was it being dragged off his original topic?

Quote:

---

Does it take more skill to attack a network or defend a network? or is it about even?

---

Seems like he asked a simple question and some dick head took it another way and dragged it off topic to mean what THEY wanted it to mean. Like your example of what we are talking about and not talking... I gave my contribution saying an attacker needed more. The more an admin knows the harder and more creative they have to be not to get whacked.

Quote:

---

Also, to what extent do attacker and defender share the same skillset and to what extent is it different?

---

I brought up my point on a home user installing a firewall and an attacker having to find a way around it. He mentions NOTHING of professionals.

Quote:

---

If you at least tried to read, before starting to be "a funny guy", i do believe that you can contribute a lot to it (because at least i think that you know something).

---

And when you stop pretending you know me or what I mean by anything, you can make a statement like that where I'll listen to it.

*sigh*

Quote:

---

You must spread your AntiPoints around before giving it to gore again.

---

Oh well.. and guys, can we please not turn this thread to ****? I like this topic. Cacosapo, like I said, your comments weren't needed. I appreciate the greens and ****, but honestly you should knock it off for now and help to get back ON topic.

Bleh, I guess I'm guilty of the same **** now. :( Shame on me....

I think Defense requires more knowledge. I mean there are programs out there that makes attacking easy for any new comer however, you actually have to know what your doing inorder to protect a network, and that means having knowledge in all the different ways an attacker can penetrate a network.

gore, now this is where it depends as to what you classify to be defender/attackers.

average attack = find firewall...move on

or

find firewall, determine type then google for exploits. didn't work...move on

thats if we're talking 'average'.

now if we're talking skilled professionals....pro thiefs vs. pro security specialists then the numbers drop to a minimum on both sides and these can't even be put into the same catagory as the above groups. with the hacker using code that they write themselves for the particular situation their facing.

This is a bad question for two reasons:
1. It varies from situation to situation, environment to environment.
2. There will always be arguments as to which side is more effective, and there are several good points to each side. A more useable discussion might be:
Which is better? To keep your 'opponent' acting, or reacting? You can do both on either side of the fence, and I think you'll probably end up with a more useable discussion of technique than a simple "what's harder -- defending or attacking?"

Hey Hey,

There are very few "good posts" found in the pages of this thread... one of the better ones is chsh's... It does vary and the question he has posed is much better.

This thread topic, and the attitude of the authors posts, reek of skiddiness... The language itself, "skill", reeks of skiddiness as well.

Why does it seem that the l33t hax0rz insist on using the word skill? I've got mad sk1llz y0!... Is skill a quantitative measure??? I think not... My girlfriend is skilled at using a computer... She can get online, use IE and other basic windows apps, use the word processor, connect the components of the PC, clean her computer and update her AV... does this mean she's prepared to defend or attack a computer.... no.. I'm quite a good cook and very skilled in the kitchen... but I'm not ready to prepare a world class mean for Chef Ramsey (Hell's Kitchen)...

How about using a word like knowledge.... Which requires more knowledge, attacking or defending... or Which requires a higher level of knowledge, attacking or defending... At that point the author should have been asked to clarify attacking or defending what.... A corporate network is the assumption that has been made... but it's still only an assumption... regardless of how certain individuals want to fly off the handle in attempts to belittle other members of this forum. No one ever really asked the direct question "What are we attacking and/or defending"..

Next you have to look a little more indepth... Why does it seem that everyone thinks of coding when they think of attacking.... I've seen coding mentioned several times.. I don't need to know **** about code... with the packet building programs available today (hping, nemesis, etc) and the variety of other tools... such as fuzzers (PeachFuzz, Spike, etc) and the existance of point and click GUIs for coding... I could attack without ever really writing a piece of code..

The same for defending... no need for coding... The real knowledge comes from your knowledge of networking or the inner workings of an operating system... and this goes for both attackers and defenders.... I need to know how various TCP Flags work... then I'll know that a a large number of SYN packets can render a port useless... and from the defenders point of view that my network must be protected against excess SYN packets bound for the same destination..

The only real answer is that the level of knowledge required for both is the same... The above example demonstrates how both attacker and defender must have the same knowledge in order to attack or defend depending on their position.

I can't get over the number of people that have said this is talking about corporate networks but then said both professional auditors and skiddies.... Don't walk the fence, you're either talking Professionals on both sides, or Amateurs on both sides...

It takes the same level of knowledge for a home user to protect their computer (point and click; download and install a firewall) as it does for a skiddie to exploit the latest MS Vuln (point and click; download and run)..

This works it's way across the board from Idiots to Newbies to Amateurs to IT Professionals to Security Professionals... The knowledge level must be the same regardless of whether you are attacking or defending... That's the only way to make this a fair comparison... Drop the word skill... forget it ever existed... how much knowledge do you have... and I'm not talking that pre-canned CCNA garbage that anyone's grandmother can get in an afternoon... I'm talking actual useful knowledge...

I've rambled quite a bit, so I'm going to cut it off there.... g'nite.

Peace,
HT

Quote:

---

as it does for a skiddie to exploit the latest MS Vuln (point and click; download and run)..

---

Point and click is a myth.

You need to have a "working" exploit for starters. Let alone you need to take an exploit and a machine with alot of up-time and make it automaticly exploit other computers for you when your not around. You need to make sure it consistently and constantly works. Editing other people's stuff... this would require what? Maybe a minor amount of "programing skills".

Most exploits don't come with the option to mass exploit a thousand web-servers. Thats usually up to the user to automate the process... that along with anything that happends after exploitation. This was almost explained pages ago. And anytime you see the letters "PoC" together like that... you know it'll pretty much only make the program seg-fualt and not much else.

Skiddie this and that... some of you guys say that and act as if you're one step above just another average Joe Blow.

Quote:

---

Originally posted here by ¤The¤Spe©ialist
Point and click is a myth.

You need to have a "working" exploit for starters. Let alone you need to take an exploit and a machine with alot of up-time and make it automaticly exploit other computers for you when your not around. You need to make sure it consistently and constantly works. Editing other people's stuff... this would require what? Maybe a minor amount of "programing skills".

Most exploits don't come with the option to mass exploit a thousand web-servers. Thats usually up to the user to automate the process... that along with anything that happends after exploitation. This was almost explained pages ago. And anytime you see the letters "PoC" together like that... you know it'll pretty much only make the program seg-fualt and not much else.

Skiddie this and that... some of you guys say that and act as if you're one step above just another average Joe Blow.

---

Hey Hey,

It's not a myth... it's just that the definition of 'skiddie' varies between us.... I consider a skiddie to be someone who uses point and click.. Someone who get's their hands on an expired version of CoreImpact and sets back their computer clock so that they can use it (but not obtain updates) or someone that downloads WinNuke or Netbus or the GUI DCOM exploits that came out very shortly after the DCOM exploit was released... Even the ones that download the PoC off k-otik (frsirt) and FD.... some of that code can be quite dangerous... and then writing a batch file to hit multiple IPs, or compiling the code is not work.. The people that actuall create working copies of the exploit and modify it, etc... I place them a great deal above your standard skiddie...

Peace,
HT

Quote:

---

Originally posted here by Tedob1
average attack = find firewall...move on
or
find firewall, determine type then google for exploits. didn't work...move on
thats if we're talking 'average'.

---

Exactly what i think.
When we go "above the average" for attackers, we start to find "specialists".
A guy that has a specific knowledge of a few exploits. And a guy that can use and/or make several tools to explore those few exploits.
Some of those guys can master more than one discipline but its pretty uncommon.
On the "white site", we have the "average admin". An average admin must know how to successfully defend against "average attacks":
- well known exploits
- maintain patches up-to-date
- follow best-pratices recommendations... etc .etc
What is above an "average admin"?
what are the skills, in your opinion, of a "specialist admin"?
What kind of company need these "master admin"?
I would like to heard your opinions.

I definitely agree that the sysadmin has the harder job. The larger the network, the harder the job. An attacker has the luxury of time to wander the network, get a feel for it, and discover any weak spots. A defender has minutes to hours to detect and fix a break in before his boss starts breathing down his neck. A boss's breath is never good.

I would say the defender has a much harder job due to the following:

Defense: One to many. There is one thing to protect and many people coming from different angles to get it. You have to protect against all of the possible manors in which someone could attack it. I don't agree with Gore in this respect because I don't see this conversation being related to home users who want nothing coming through. If that were the case, I could secure a computer easily by dropping it into the middle of a cement truck. It would be completely secure. I see this more posed about securing a network, when you DO want some information coming in and going out, such as maybe a webserver or email server.

Attack: This is a one to many relationship also, but it means you have multiple people to attack. If you have one thing you're good at, such as a specific exploit, you keep searching until you find someone vulnerable.

Now, if you're going to take out the one to many relationship and point a single attacker against a single network, things might even out.

My vote goes to defender since to stay on top of things requires you to be one step ahead of any attacker. I would say that in general an skilled attacker and skilled defender would have probably a good amount of overlap in their knowledge. Each would know multiple exploits. The attacker would know how to use them, and the defender would know how to defend them. I think each of those actions is equally skillful if you aren't just googling for the answer.

So, My vote goes like this....

Home network - Defense is easier
Mid-size network - Attacker is easier (due to the fact that some services are available to the outside)

Now a professional attacker who is finding and developing new attacks, vs. a professional defender who is looking for new attacks and mitigating them, I think this ground is pretty equal.

Just like the attacker has to stay a step ahead of the defender....

How many of you in this thread have actually rooted a box without ANYONE knowing about it?

How many people defend against that each day? (All of us I'd assume).

For each successfull attack there are 200 non.

Quote:

---

Originally posted here by gore
Just like the attacker has to stay a step ahead of the defender....

How many of you in this thread have actually rooted a box without ANYONE knowing about it?

---

Does a corporate network count? They didn't know until I told them. It was a lame attack (poor defense on their part), but it's worth something...

Quote:

---

Originally posted here by gore
Just like the attacker has to stay a step ahead of the defender....

---

Agree too. Attacker should know a way to circumvent the defender' defenses (to be successfully). So attacker should (at least one discipline) know more than the defender.
BTW, a think that defender is allways a step back of the attacker, since most of our defenses are "reactive". We only know how to defend when we get the first attack.
Its our nightmare - 0-day exploit.

But it's always easier to attack a known enemy than defend against an invisible one, so as far as skill goes, the defender must have more... it's not really a matter of an attacker knowing "more" (as if knowledge was, indeed, quantifiable), but rather knowing something "new". Having knowledge of a new 'sploit generally puts the attacker on higher ground, regardless of his "skill".

Quote:

---

Originally posted here by gore
Just like the attacker has to stay a step ahead of the defender....

How many of you in this thread have actually rooted a box without ANYONE knowing about it?

How many people defend against that each day? (All of us I'd assume).

For each successfull attack there are 200 non.

---

A successfull attack doesn't mean much.. I could get admin on about half of the companies in my town without being detected... COULD I get detected, YES, by someone who knew wtf they were doing, but most of the IT people in this **** town are either "self taught" folks who don't know **** but have the arrogance of a teenage jock or people straight out of devry or the community college who passed with Bs and have no real knowledge of how to properly run a network... It's ****ing sad when I could run a better network if I worked there for a month with no real schooling compared to their 2 years of school.

Defender must also protect against the action of his/her users with access. The also have the potential to compromise the system accidentally or otherwise.

The defender is defending on 2 fronts and also working blind against the attacks that may be launched.

The defender also has to work within the rules of his/her organisation which may mean fighting with one hand behind your back or opening doors in their defense on the instruction of managers.

The attacker follows no rules but those set by himself/herself.

The only limits are those we set on ourselves.

Many attackers (as previously stated) piggy back off of other's previous work. This is obviously easy to do. With the rapid change in technology, defenses have already been set up for these attacks.

For attackers to come up with "new" ways to hit a system (hard) could be difficult, but in the end, the real forte comes in providing a worthwhile defense.

Just my verbose way of agreeing with the majority.....sorry.

I rarely agree with a majority. Complacent consent is the enemy.

anyone can set up a good firewall, get a good Policy and then the attacker needs to find a way in. I don't think I've heard of many successfull attacks where someone used a program.

Quote:

---

Defender must also protect against the action of his/her users with access. The also have the potential to compromise the system accidentally or otherwise.

---

Agreed. It's also something that a defender must do that the attacker doesn't obviously.

Quote:

---

The only limits are those we set on ourselves.

---

Co-sign.

Quote:

---

Many attackers (as previously stated) piggy back off of other's previous work.

---

That's not an attacker. That's a skiddie, there's a difference.

Quote:

---

Quote:

---

Many attackers (as previously stated) piggy back off of other's previous work.

---

That's not an attacker. That's a skiddie, there's a difference.

---

Sorry, But I'm going to have to disagree with this... I think EVERYONE piggybacks off of someone else's previous work.. How often does an attacker find a NEW vuln in a piece of software, and exploit it, and how often does a defender find a new vuln, and write his own patch for it? Not too terribly often I'd think... Skiddie's don't piggy back... they just use... Piggy backing is taking someone's work and adding to it, which happens to be the very essence of OSS. Piggy backing is something that basically must be done to be successul, using a packaged tool isn't.

Gore is also right when he says that a skiddie can't download and run something and expect to get in to a server undetected, even if the admin sucks. Why? Becuase most at least have a firewall. netbus doesn't work through a firewall that has netbus blocked.

The Grunt: Piggy Backing is that -- catching a free ride. By that meaning no work involved which leads the skiddies to Piggy Back. It basically means they are using others code and exploits and not adding nothing to it, simply using it. Thus the term "point and click", it has nothing to do with adding ANYTHING on.

Quote:

---

I think EVERYONE piggybacks off of someone else's previous work

---

Possibly, in some way or another. However I know people who code their own exploits to use in a hack or people who code their own defense systems as well.

Quote:

---

How often does an attacker find a NEW vuln in a piece of software

---

Happens everyday.

Quote:

---

and how often does a defender find a new vuln, and write his own patch for it?

---

Again, everyday.. go on some other security websites who report vulnerabilities and exploits. They'll show you.

Quote:

---

Piggy backing is something that basically must be done to be successul

---

I don't agree with that. It's not something that MUST be done to succeed.

Quote:

---

Becuase most at least have a firewall. netbus doesn't work through a firewall that has netbus blocked.

---

That's right. A firewall that "has netbus blocked" usually is one with a permission or rule set TO block netbus activity.

Bleh, sorry. I think the statement "Piggy backing is taking someone's work and adding to it" is untrue. I believe it's only the first part of it and has nothing to do with adding to it.

I gotta say both of them because an attacker is nothing if they know nothing about how an defender does his defending and this also works the opposite way. Like the saying says, if you want to stop a hacker you have to be one.

This is close enough to be true

Quote:

---

Like the saying says, if you want to stop a hacker you have to be one.

---

I guess I'm old but I never heard of that saying. You don't have to be one, but it help's to atleast possess the knowledge that a hacker would.

From being both in IT and Auditing I can tell you that it is harder to defend than to attack. There are similiarities to both areas:

1. Both areas have tools that can automate that process of securing or breaching
2. Both areas require at a minimum, some time and effort to learn and experience the better or best ways to practice their craft; however, to fully master defense or attack, one needs to commit oneself, like any craft, to it every day - I was in IT for quite awhile and when I flipped to auditing, I found I was a novice in a different arena of thought.

Having stated the above, it just feels to me that defense takes more work - why because as previously stated throughout this thread, defense it more a guessing game, the attack can be better planned. With defense, one needs to plan for every contigency that can be imagined.

Also because some feathers seemed ruffled in this great thread, I thought I would share a fairy tale - don't worry it has been deemed "The Worlds Shortest Fairy Tale!" Please God, don't let my wife see this - if she does - honey I love you and this is just a joke! :eek: :

Once upon a time a guy asked a girl, "Will you marry me?"
She said, "No !"
And the guy lived happily ever after.
THE END :D

Better late then never genXer. Welcome to AO.

With the limited time (even using automated tools) to detect and respond to an attack - which means detailed log review, the task of the defender is the greater and more challenging. And if a forensic level analysis is required, you'd better budget at least one hour of time for every minute an attacker was in your system.

Log correlation, multi-layered (and frequently non-integratable) tools means a lot more work. Bugs happen and exploitation of them is a damn sight easier than having to mitigate or work around a vulnerability because some programmer, in his/her infinite wisdom, found that they could do really cool programming tricks!

And, yes, I have had to deal with business applications that actually used cross-site scripting vulnerabilities in Internet "Exploder" to achieve a business function. Patching caused apps to break and left an exploitable weakness in the network.


Having stated the above, it just feels to me that defense takes more work - why because as previously stated throughout this thread, defense it more a guessing game, the attack can be better planned. With defense, one needs to plan for every contigency that can be imagined.

I think we've beat this to death... and we pretty much all agree....

Quote:

---

Better late then never genXer. Welcome to AO.

---

DOH! Sorry - just realized the date on the last post before I posted. Sorry about that. I will try to avoid that in future. :)

So basicly your analogy is that if more work is put into something then this person has more "skill". And I'd kinda have to agree with that...

Any random jackass standing on a highway, wearing an orange vest while picking up trash or digging ditches clearly has five million times more skill than most people who work with computers.

And Neg, do I need to remind you of what happend last time you deleted one of my posts? Yeah thats right... I actually have that saved. Even now you and I would both agree I was in the right but your just to anal to admit it. :D

Quote:

---

So basicly your analogy is that if more work is put into something then this person has more "skill". And I'd kinda have to agree with that...

Any random jackass standing on a highway, wearing an orange vest while picking up trash or digging ditches clearly has five million times more skill than most people who work with computers.

---

Not sure if this was an attempt of a slam or not - because it had about as much merit as you do - nil. Also, what is your speciality - besides that of being an assclown? An assclown who obviously has nothing better to do than to rejoin an organization who has booted - hmm - how many times now?!? Oh wait, I'm sorry, that's right - you're an H4xX0r1337. Wow... no one is impressed.

Also - I would love for you to take that little jackass comment to the actual people doing that work and see what they think of your pontificating. Lastly, before I joined this fine organization, and it is fine, no matter how much you bash it - then join/rejoin it, I read through some of your posts. Something happened to you - something dark, or light, or whatever - because you don't curse as much anymore - could it be that the organization that routinely exorcizes you from their membership ranks are actually training you - making you conform? Hey - mouth breathing troglodytes can learn new tricks! Maybe you can use that life experience to get a job that lasts longer than a week and move out of your Mother's basement. Now before you piss me off, why don't you?

IMO I would say the attacker. They both take skill, but attackers usually have more expertise. What I mean by that is a system administrator might be a specialist in locking down a windows server, but attackers have expertise in many operating systems because they usually do not limit themselves to one specific type of hacking.

The security admins can lock down things by general permissions and knowledge of the OS comes into play in that respect, but a lot of it is staying up on patches. If an attacker goes up against a system that has locked down all known vulnerabilities, it requires a lot more work than people give them credit for.

Another thing is the whole pressure situation. When you attack, especially illegally, the pressure can get to you. A security admin at most can lose their job if they fail at securing the system, which rarely happens, the company just reacts and locks down the system. An attacker fails at an attack and he goes to prison usually. That factors in a lot, especially when your actually in the middle of the attack.

Also attacking isn't just getting in, it is everything. Footprinting, scanning, etc like one of the posters quoted from text. You have to do a lot of work just to get in, then you have to do more work to clean the logs, get admin access if you only got user level access, plant backdoors and other accounts for a return to the system if needed.

Quote:

---

Originally posted here by Cyberruk


Having stated the above, it just feels to me that defense takes more work - why because as previously stated throughout this thread, defense it more a guessing game, the attack can be better planned. With defense, one needs to plan for every contigency that can be imagined.

---

I disagree. It is impossible to plan for every contingency that can be imagined. A defender can only afford (or rather he will only and just barely have the resources for, and maybe not even then) to deal with the most likely contingencies.

You could say the real skill is determining the most likely risks (risk analysis), persuading management to cough up the dough (mucho persuasion) and then implementing an optimal solution (money, time, people and effectiveness wise) before crossing one's fingers, sticking one's head between one's legs and hoping to h3ll you don't have to ki55 your a55 g00dby3!!!