Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: An article from Peter Tippett/TruSecure...

From: "Bill Royds" <broyds () rogers com>
Date: Mon, 10 Mar 2003 08:19:20 -0500
One of the fundamental principles of rsik management is weighting your
vulnerabilities, threats, and costs to give an expected cost of each threat.
That is why using something like the SANS top 20 threats
(http://www.sans.org/top20/) as a guideline is most useful. The SANS list is
those vulnerabilities most exploited. Harden and patch your system against
those first, because they are the ones you are most likely to face in real
life. This list is kept uptodate as new vulnerabilites are discovered, but
they are evaluated first before being listed.
   To properly evaluate risks of what you pass through your firewall, you
need to know three things.
1/ What risks you are willing to assume (a good security policy)
2/ What you have running behind the firewall (a complete up-to-date software
and hardware inventory).
3 What is hitting your firewall from the Internet
   A vulnerability list gives you the third, but the first is something the
few places have and the second is even rarer.
Without all three, your security is just hit and miss reaction.


----- Original Message -----
From: "Paul D. Robertson" <proberts () patriot net>
To: "Chuck Swiger" <chuck () codefab com>
Cc: "'firewall-wizards" <firewall-wizards () honor icsalabs com>
Sent: Sunday, March 09, 2003 10:22 PM
Subject: Re: [fw-wiz] An article from Peter Tippett/TruSecure...


: On Sun, 9 Mar 2003, Chuck Swiger wrote:
:
: > Date: Sun, 09 Mar 2003 13:49:08 -0500
: > From: Chuck Swiger <chuck () codefab com>
: > To: 'firewall-wizards <firewall-wizards () honor icsalabs com>
: > Subject: [fw-wiz] An article from Peter Tippett/TruSecure...
:
: [Disclaimer:  I work for TruSecure, Dr. Tippett is both our CTO and the
: person I report directly to.  Since you didn't comment on the article,
: I'll take a swipe at the tradtional dogma as we tend to see it...]
:
: >
: >
http://www.globe.com/dailyglobe2/068/business/A_patch_for_IT_security_strate
gy+.shtml
: >
: > A brief excerpt:
: >
: > "For years, the focus of most security efforts has been centered on
: > identifying and then fixing vulnerabilities in technology.  The
: > prevailing belief is that if a hole is found in the IT armor of an
: > organization, it should be fixed immediately before it can be exploited
: > by some cyber-deviant.  While this approach sounds logical and
: > effective, it is actually the beginning of a vicious cycle that occupies
: > vast amounts of time and wastes several millions of corporate,
: > government, and consumer dollars every year."
:
: The point that Peter's making is that chasing vulnerabilities just because
: they exist isn't efficient, nor really achievable.  There were ~2200-2400
: new vulnerabilites announced last year, and as near as I can tell,
: between 1 and 2% of those new vulnerabilities got exploited at real
companies.
:
: That means that if you spent time patching say an applicable 70% of those
: vulnerabilities, then 68% of that time was wasted.
:
: It's purely a risk funciton- and if you have good data on which small
: percentage of new vulnerabilities are going to be exploited and which ones
: have historically been exploited, then you can reduce your risk by
: about the same ammount by patching let's say 5% of those vulnerabilities
: instead of every one.
:
: That saves you 65% of the maintenance, fixes, "patch breaks things" and
all
: the associated change control stuff.  If you pay folks overtime, or
: give comp. time for staying late to patch, those can go down significantly
: too- *especially* if you have protections in place that limit damage from
a
: particular vector for long enough between vulnerability disclosure,
: exploit coding and a normal maintenance cycle.
:
: Proactive security beats reactive security every time.  Patch upon
: vulnerability release is reactive.  Things like firewalls and conservative
: machine configuration can reduce patching levels for attacks from likely
: vectors without negatively changing an organization's risk profile.
: Indeed, there's an argument that if people spend more time on the likely
: vulnerabilities, they'll be able to better-protect an organization than if
: they spend time patching every possible vulnerability.
:
: I've got excellent data for widespread worms like SQL/Slammer and NIMDA,
: and a good feel for the results of target of choice attacks.  That risks
: putting this too far into the "sounds like a commercial" mode though, so
: I'll just leave it at "smart risk-based patching beats blanket patching
: for effieciency with little measurable change in risk."
:
:
: Paul
: --------------------------------------------------------------------------
---
: Paul D. Robertson      "My statements in this message are personal
opinions
: proberts () patriot net      which may have no basis whatsoever in fact."
: probertson () trusecure com Director of Risk Assessment TruSecure Corporation
:
: _______________________________________________
: firewall-wizards mailing list
: firewall-wizards () honor icsalabs com
: http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: