Firewall Wizards mailing list archives
Re: An article from Peter Tippett/TruSecure...
From: Barney Wolff <barney () pit databus com>
Date: Mon, 10 Mar 2003 18:48:55 -0500
On Sun, Mar 09, 2003 at 10:22:01PM -0500, Paul D. Robertson wrote:
The point that Peter's making is that chasing vulnerabilities just because they exist isn't efficient, nor really achievable. There were ~2200-2400 new vulnerabilites announced last year, and as near as I can tell, between 1 and 2% of those new vulnerabilities got exploited at real companies. That means that if you spent time patching say an applicable 70% of those vulnerabilities, then 68% of that time was wasted. It's purely a risk funciton- and if you have good data on which small percentage of new vulnerabilities are going to be exploited and which ones have historically been exploited, then you can reduce your risk by about the same ammount by patching let's say 5% of those vulnerabilities instead of every one. That saves you 65% of the maintenance, fixes, "patch breaks things" and all the associated change control stuff. If you pay folks overtime, or give comp. time for staying late to patch, those can go down significantly too- *especially* if you have protections in place that limit damage from a particular vector for long enough between vulnerability disclosure, exploit coding and a normal maintenance cycle.
This strategy might work against script kiddies, but is sure to fail against an attacker who knows you're using it! I also question the notion that keeping up requires patching 70% of 2200-2400 vulnerabilities. If you have a myriad of different systems or apps *exposed* you've taken diversity beyond sanity. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- An article from Peter Tippett/TruSecure... Chuck Swiger (Mar 09)
- Re: An article from Peter Tippett/TruSecure... Paul D. Robertson (Mar 09)
- Re: An article from Peter Tippett/TruSecure... Bill Royds (Mar 10)
- Re: An article from Peter Tippett/TruSecure... Barney Wolff (Mar 10)
- Re: An article from Peter Tippett/TruSecure... Paul Robertson (Mar 10)
- Re: An article from Peter Tippett/TruSecure... yossarian (Mar 10)
- Re: An article from Peter Tippett/TruSecure... Paul D. Robertson (Mar 10)
- Re: An article from Peter Tippett/TruSecure... Mike Scher (Mar 11)
- Re: An article from Peter Tippett/TruSecure... Paul D. Robertson (Mar 09)