Dailydave mailing list archives
Re: Punching above your weight class
From: "Adriel T. Desautels" <adriel () netragard com>
Date: Mon, 07 May 2007 16:39:39 -0400
Dave,
I couldn't agree with you more. When my partner and I founded Netragard
we did it with the intention of addressing the issue that you talk about
below.
Specifically, there is a significant gap in the level and the quality of
security services being offered to businesses internationally, and the
actual threat level created by malicious hackers... To make matters worse,
that gap is growing rapidly.
*** A quick story...
About three weeks ago I spoke on a panel during a CIO conference with Steve
Wozniak. Before my panel went up I was listening to the first panel present
their ideas about corporate security. One of the panelists began talking
about defining "Acceptable Risk Levels" within organizations. (These were
CIO's, CTO's, CSO's etc for multi billion/million dollar companies.)
When I heard these people speaking I realized that they never got into
anything specific. Instead it was as if they were just talking about ideas
that they briefly read about in magazines or online articles. So I decided
to ask them something specific.
My first question to them was "In order to properly understand your
acceptable risk level you must first understand the threats faced by your
business, correct?"
They all nodded in agreement.
My second question to them was "Where do you get your threat intelligence?"
None of them could answer the question, instead they tried to "market" their
way around it, or provided answers that were not at all related to the
question. Later I was accused of asking a "trick question", when there was
nothing trick about it.
*** End of my quick story...
That's when it hit me. I've always known that a very significant gap existed
between the capabilities of malicious hackers and the IT defense
capabilities of businesses and government agencies. What I never realized
was how little "good" threat intelligence was available to the people trying
to defend themselves against malicious hackers.
I've made it a point to always have good threat intelligence by maintaining
a team of people to harvest the intelligence for my business. So I suppose
that I just take the intelligence capability for granted, but what has the
rest of the world been doing? Who are they trying to protect themselves
against if they don't have that capability?
I'm sure that many of the people on this list also have ways of collecting
threat intelligence, but then again the people on this list are most
probably an acceptation. Am I wrong?
I'm very curious...
On 5/3/07 11:05 AM, "Dave Aitel" <dave () immunityinc com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The best hacker teams in the world right now may belong to organized crime groups. In my spare time in between packing lunch boxes and cleaning the floor under the high chair, I've been thinking about ways in which these organizations differ from most commercial companies who do penetration testing. A company has a rather large budget, dedicated infrastructure, and an experienced and skilled staff. So why do so many of them fight like flabby novices? The fact is, giving someone a LOT of money, and a big mission to solve, often gives them a good excuse to get fat and useless. I don't know how to solve your problem if you're a hundred million dollar attack team yet. But if you're at ten million or less, these are the rules I've come up with. Six Rules for Punching Above Your Weight Class: o Never use an exploit in the wild you don't completely understand. If you can't debug it on the fly, you can't use it o Don't split up research from attack. Your research team needs to be focused on the mission. o Develop a fast-reaction team that can hit easy or very time critical vulnerabilities within 8 hours or less. o Be target focused o Develop technical partnerships with other people who can write exploits. There just aren't that many of them. o One team, one mission. People naturally want to work on only Windows or only Unix, but that's not the way to success. Find people who can work on the whole picture. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGOfo7B8JNm+PA+iURAmnWAJ9fMkFiaNwsiOsiKUqgq2p3bJsv9QCg6u+7 Yc5yKpsBP3b857WvhQRtXkc= =rzBU -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
--
Regards,
Adriel T. Desautels
Chief Technology Officer - Netragard, LLC
Office: 617-934-0269 || Mobile : 857-636-8882
http://www.linkedin.com/pub/1/118/a45
http://www.netragard.com
-------------------------
"We make IT secure."
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Punching above your weight class Dave Aitel (May 03)
- Re: Punching above your weight class Adriel T. Desautels (May 07)
- Re: Punching above your weight class Security Admin (NetSec) (May 08)
- Message not available
- Fwd: Punching above your weight class Xu He (May 08)
- Re: Punching above your weight class Adriel T. Desautels (May 07)