Re: When do exploits get used?

[Dave Aitel <dave () immunitysec com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jay Beale wrote:

| Luke Scharf wrote:
|
|> On Mon, 2004-03-22 at 14:46, Paul Schmehl wrote:
|>
|>
|>> To think otherwise is foolish, as I said.  If one isn't
|>> paranoid, one probably doesn't belong in the security field.
|>> If you're sitting back thinking you're safe because you're
|>> patched and you patch quickly, then you're unalert and exposed.
|>>
|>>
|>
|>
|> Patching, passwords, and basic-permissions *are*, however, the
|> 10% of the work that gets 90% of the benefit.  All the stuff that
|> we get excited about here is just icing on the cake.
|>
|>
| I think you're going to quickly change your mind as soon as the
| first 0-day worm comes out.  All the patching in the world doesn't
| save us if the attackers ever get a widely-used exploit against a
| non-public vulnerability.  At that point, internal firewalling and
| system hardening, to say the least, take center stage.  (Of course,
|  you could add to these, or potentially replace these with, some
| particular host-based intrusion prevention/kernel modification
| solutions, but I'll leave that one alone for now.)
|
| The day of the 0-day worm is coming, or at least the
| close-enough-to-0-day worm, that organizations that do patch often
| will still get badly compromised.  This basically comes down to a
| question of windows of vulnerability.  Your window of vulnerability
|  to a given exploit comes down to the sum of three time windows:


Why the focus on worms again? Worms are what happen when good exploits
are wasted. No one who has an exploit wants a worm to come out. This
is why a real 0day worm is probably not coming out any time soon, imo.


| Patching isn't really 90%.  It seems like that because
| organizations still aren't keeping up with patches and thus don't
| know what would have happened if they had.  It seems like that
| because we're not getting caught in the first two parts of our
| windows of vulnerability that often just yet.  If a worm comes out
| in time window 1 or 2, your 1-hour patch turnaround won't save you.
|
It always boggles me that people will patch production systems for
remote SYSTEM vulnerabilities.

- -dave


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAX3cKzOrqAtg8JS8RAsAEAKC/mo8O2+pOvqrRy2oSdPqmMVmjoACglrMM
g1N5vh1Pi+Gm3ItLYEM0xAU=
=rI8X
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html