Dailydave mailing list archives
Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes)
From: Tito Villalobos <tvillalobos () wowway com>
Date: Mon, 13 Nov 2006 04:47:40 -0500
Dave Aitel wrote:
The solution, of course, is to focus only on the high end risk, rather than assuming you have to climb up the risk chain from the bottom. IMHO, of course. I don't work for the USG and haven't for a long time. But if you're focusing on patch and configuration compliance and your most likely opponents don't care then you gotta assume something's broken. Invest the majority of your cash in vulnerability research and hacking and leave the compliance management for later. Sometimes the best defense is a good offense, and with hacking that's nearly always true.
Dave, I can't agree with this at all. Not handling the low end (patch management to fix known bugs) is essential. Otherwise, all of that 0day research isn't even necessary to crack the boxes. If an organization followed this advice (even one with enough resources to spare on "pure research" style 0day research) but didn't have solid patch management, it would be wide open to any "leet haxor" who could one finger "metasploit.com". "The best defense is a good offense" doesn't apply here. One side is completely on the offensive, and one is completely on the defensive. Large organizations can't "attack back", at least under the current laws (AFAIK, INAL), and even if they could, crashing some zombie out there is hardly going to be good protection. The "most likely opponents" aren't focused on patch management, because they don't have to be on the defense at all. Even if a typical organization finds something through vuln research, how do they protect against it? Either they create a patch themselves or notify the vendor, who creates a patch. Both still require patch management to ensure the fix is applied throughout the org. The only other alternative is to try to create some IDS/IPS sigs based on it, and those have been quite thoroughly trashed on an earlier thread. I'm not saying that patch management is enough. It's just one of the basic defenses. However, without the basic defenses, anything more advanced is like reinforcing the windows while leaving the doors unlocked. -Tito _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- "The organization I belong to doesn't have initals" (that evil dude in Heroes) Dave Aitel (Nov 12)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Tito Villalobos (Nov 13)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Pete Herzog (Nov 13)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Steve Manzuik (Nov 13)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Paul Melson (Nov 13)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Steve Manzuik (Nov 13)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Olef Anderson (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Nicolas RUFF (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) David Maynor (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Daniel (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Siim Põder (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Matt Richard (Nov 15)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Tito Villalobos (Nov 13)