Re: When do exploits get used?

[Jay Beale <jay () bastille-linux org>]

Luke Scharf wrote:

> On Mon, 2004-03-22 at 14:46, Paul Schmehl wrote:
>  
>
> > To think otherwise is foolish, as I said.  If one isn't paranoid, one 
> > probably doesn't belong in the security field.  If you're sitting back 
> > thinking you're safe because you're patched and you patch quickly, then 
> > you're unalert and exposed.
> >    
>
> Patching, passwords, and basic-permissions *are*, however, the 10% of
> the work that gets 90% of the benefit.  All the stuff that we get
> excited about here is just icing on the cake.
>  
I think you're going to quickly change your mind as soon as the first 
0-day worm comes out.  All the patching in the world doesn't save us if 
the attackers ever get a widely-used exploit against a  non-public 
vulnerability.  At that point, internal firewalling and system 
hardening, to say the least, take center stage.  (Of course, you could 
add to these, or potentially replace these with, some particular 
host-based intrusion prevention/kernel modification solutions, but I'll 
leave that one alone for now.)

The day of the 0-day worm is coming, or at least the 
close-enough-to-0-day worm, that organizations that do patch often will 
still get badly compromised.  This basically comes down to a question of 
windows of vulnerability.  Your window of vulnerability to a given 
exploit comes down to the sum of three time windows:

1) The time that an exploit exists before the vendor has learned of the 
vuln and begun preparing the patch.  ( 0 days to N years)
2) The time that the vendor spends researching, preparing and testing a 
patch.  ( 1 day to 9 months, probably about 2 days or more.)
3) The time in which a patch is available and you haven't yet deployed it.


First, remember that you have no control over time window 1 and little 
over time window 2.  Time window 3 for the most attentive organizations 
seems to be around 1 day on non-critical systems and 3 days on critical 
systems.  The averages are probably around 1 month for both types of 
systems.

If you're in this best set of organizations, potentially spending major 
manpower on vetting and installing patches, you've still got  a decent 
window of vulnerability.  It's at least an hour/day (from #3) along with 
a few days or more from #1 and #2.

Patching isn't really 90%.  It seems like that because organizations 
still aren't keeping up with patches and thus don't know what would have 
happened if they had.  It seems like that because we're not getting 
caught in the first two parts of our windows of vulnerability that often 
just yet.  If a worm comes out in time window 1 or 2, your 1-hour patch 
turnaround won't save you.

You may find this discussion academic.  But the exploit writers and the 
worm writers are getting faster.  And that's what should scare us into 
moving beyond patches.  That's what should get us moving to better 
network and host configurations.  That's what should get us to evaluate 
patching as, at most, the easy, but most critical, 50%.

Of course, I could be wrong.

- Jay







> -Luke
>
>  

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html