Re: New presentation is up: 0days: How hacking really works

[robert () dyadsecurity com]

Kevin Ponds(kponds () gmail com)@Tue, Feb 01, 2005 at 08:44:38AM -0600:
> Assume the not-so-distant future (or present) is ruled by 0day, which
> I totally agree with you on.  What is the value-added from
> pen-testing/auditing?

Has always been, and should continue to be a technical validation of the
environment.

> Pretend I'm a large enterprise, and there are 45 0days that effect my
> network that are known by different hackers around the globe.  I shell
> out a fair load of cash for a pen-test from some security consultancy,
> who promptly own my network with their three 0days that they've home
> grown.  What have I gained from this?

Not much.  "Getting In" is the easy part.  When we analyze postures we
worry more about containment than patch management.  To that end I like
technologies that can leverage MAC/DTE/RBAC for OS level containment.  I
also like the dev teams to develop with the intent of getting CC
evaluation.  This provides for applications where the objectives are
well known.  It also helps to know what level of assurance the
developers are trying to deliver with the application.

> -No one could know about the vulnerabilities except the guys I just hired.

We have a handful of 0day.  For publicly available applications, I
assume that every issue we know about is also known by others.

> -If they do, there are tons more vulnerabilities out there that the
> guys that I hired have never heard of.

Definitely.  You should always operate under the assumption that every
application you are running has a working 0day exploit.  Now your mind
can focus on the containment of the impact from compromise.

> Do you see a future where pen-tests are limited to automated systems
> scanning for non 0day (just to make sure), and in-house sweeps with
> known 0day (such as using CANVAS, which is inarguably less expensive
> THan hiring a pen-test team)?

I see a future where applications will continue to have bugs.  I also
see a future when OS distributors will provide for technology that can
contain or eliminate certain fundamental security flaws that plague COTS
and FOSS OS's.

> I personally see the money that's being thrown into pen-tests going
> into secure platforms, such as stack protectors, HIDS, better IDS
> technology, etc.  "We know we're vulnerable to 0day so we're going to
> make our platforms (as) invulnerable (as possible)" line of thought.

Those technologies (IPS/Anti-virus/HIPS/etc) are the technical equivalent
to painting the mold and water stains on your ceiling after a big rain. 
They may lessen some of the symptoms, but they do not solve the problem.

> Obviously I still think that auditing / testing is needed to some
> extent, but I don't really see the point in spending $200k for someone
> to rape my network with a bug that I'll never see again.

Interesting choice of words.  When we meet with new customers who ask us
for a "Penetration Test" we will often take a couple minutes to find out
what they really mean.  "Do you want us to find as many problems as we
can and work with you throughout the engagement, or do you want us to
kick you in the nuts?".  We have yet to find a customer that really
wanted us to just kick them in the nuts.  I think that style of testing
is going to go away soon.

Robert

-- 
Robert E. Lee
CEO, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - robert () dyadsecurity com
M - (949) 394-2033
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave