mailing list archives
Re: When do exploits get used?
From: Dave Aitel <dave () immunitysec com>
Date: Mon, 22 Mar 2004 18:30:19 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Jay Beale wrote:
| Luke Scharf wrote:
|> On Mon, 2004-03-22 at 14:46, Paul Schmehl wrote:
|>> To think otherwise is foolish, as I said. If one isn't
|>> paranoid, one probably doesn't belong in the security field.
|>> If you're sitting back thinking you're safe because you're
|>> patched and you patch quickly, then you're unalert and exposed.
|> Patching, passwords, and basic-permissions *are*, however, the
|> 10% of the work that gets 90% of the benefit. All the stuff that
|> we get excited about here is just icing on the cake.
| I think you're going to quickly change your mind as soon as the
| first 0-day worm comes out. All the patching in the world doesn't
| save us if the attackers ever get a widely-used exploit against a
| non-public vulnerability. At that point, internal firewalling and
| system hardening, to say the least, take center stage. (Of course,
| you could add to these, or potentially replace these with, some
| particular host-based intrusion prevention/kernel modification
| solutions, but I'll leave that one alone for now.)
| The day of the 0-day worm is coming, or at least the
| close-enough-to-0-day worm, that organizations that do patch often
| will still get badly compromised. This basically comes down to a
| question of windows of vulnerability. Your window of vulnerability
| to a given exploit comes down to the sum of three time windows:
Why the focus on worms again? Worms are what happen when good exploits
are wasted. No one who has an exploit wants a worm to come out. This
is why a real 0day worm is probably not coming out any time soon, imo.
| Patching isn't really 90%. It seems like that because
| organizations still aren't keeping up with patches and thus don't
| know what would have happened if they had. It seems like that
| because we're not getting caught in the first two parts of our
| windows of vulnerability that often just yet. If a worm comes out
| in time window 1 or 2, your 1-hour patch turnaround won't save you.
It always boggles me that people will patch production systems for
remote SYSTEM vulnerabilities.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.