mailing list archives
Re: When do exploits get used?
From: Jay Beale <jay () bastille-linux org>
Date: Mon, 22 Mar 2004 17:13:17 -0500
Luke Scharf wrote:
I think you're going to quickly change your mind as soon as the first
0-day worm comes out. All the patching in the world doesn't save us if
the attackers ever get a widely-used exploit against a non-public
vulnerability. At that point, internal firewalling and system
hardening, to say the least, take center stage. (Of course, you could
add to these, or potentially replace these with, some particular
host-based intrusion prevention/kernel modification solutions, but I'll
leave that one alone for now.)
On Mon, 2004-03-22 at 14:46, Paul Schmehl wrote:
To think otherwise is foolish, as I said. If one isn't paranoid, one
probably doesn't belong in the security field. If you're sitting back
thinking you're safe because you're patched and you patch quickly, then
you're unalert and exposed.
Patching, passwords, and basic-permissions *are*, however, the 10% of
the work that gets 90% of the benefit. All the stuff that we get
excited about here is just icing on the cake.
The day of the 0-day worm is coming, or at least the
close-enough-to-0-day worm, that organizations that do patch often will
still get badly compromised. This basically comes down to a question of
windows of vulnerability. Your window of vulnerability to a given
exploit comes down to the sum of three time windows:
1) The time that an exploit exists before the vendor has learned of the
vuln and begun preparing the patch. ( 0 days to N years)
2) The time that the vendor spends researching, preparing and testing a
patch. ( 1 day to 9 months, probably about 2 days or more.)
3) The time in which a patch is available and you haven't yet deployed it.
First, remember that you have no control over time window 1 and little
over time window 2. Time window 3 for the most attentive organizations
seems to be around 1 day on non-critical systems and 3 days on critical
systems. The averages are probably around 1 month for both types of
If you're in this best set of organizations, potentially spending major
manpower on vetting and installing patches, you've still got a decent
window of vulnerability. It's at least an hour/day (from #3) along with
a few days or more from #1 and #2.
Patching isn't really 90%. It seems like that because organizations
still aren't keeping up with patches and thus don't know what would have
happened if they had. It seems like that because we're not getting
caught in the first two parts of our windows of vulnerability that often
just yet. If a worm comes out in time window 1 or 2, your 1-hour patch
turnaround won't save you.
You may find this discussion academic. But the exploit writers and the
worm writers are getting faster. And that's what should scare us into
moving beyond patches. That's what should get us moving to better
network and host configurations. That's what should get us to evaluate
patching as, at most, the easy, but most critical, 50%.
Of course, I could be wrong.
Full-Disclosure - We believe in it.