Dailydave mailing list archives
Re: New presentation is up: 0days: How hacking really works
From: robert () dyadsecurity com
Date: Sat, 19 Mar 2005 14:34:20 -0800
Kevin Ponds(kponds () gmail com)@Tue, Feb 01, 2005 at 08:44:38AM -0600:
Assume the not-so-distant future (or present) is ruled by 0day, which I totally agree with you on. What is the value-added from pen-testing/auditing?
Has always been, and should continue to be a technical validation of the environment.
Pretend I'm a large enterprise, and there are 45 0days that effect my network that are known by different hackers around the globe. I shell out a fair load of cash for a pen-test from some security consultancy, who promptly own my network with their three 0days that they've home grown. What have I gained from this?
Not much. "Getting In" is the easy part. When we analyze postures we worry more about containment than patch management. To that end I like technologies that can leverage MAC/DTE/RBAC for OS level containment. I also like the dev teams to develop with the intent of getting CC evaluation. This provides for applications where the objectives are well known. It also helps to know what level of assurance the developers are trying to deliver with the application.
-No one could know about the vulnerabilities except the guys I just hired.
We have a handful of 0day. For publicly available applications, I assume that every issue we know about is also known by others.
-If they do, there are tons more vulnerabilities out there that the guys that I hired have never heard of.
Definitely. You should always operate under the assumption that every application you are running has a working 0day exploit. Now your mind can focus on the containment of the impact from compromise.
Do you see a future where pen-tests are limited to automated systems scanning for non 0day (just to make sure), and in-house sweeps with known 0day (such as using CANVAS, which is inarguably less expensive THan hiring a pen-test team)?
I see a future where applications will continue to have bugs. I also see a future when OS distributors will provide for technology that can contain or eliminate certain fundamental security flaws that plague COTS and FOSS OS's.
I personally see the money that's being thrown into pen-tests going into secure platforms, such as stack protectors, HIDS, better IDS technology, etc. "We know we're vulnerable to 0day so we're going to make our platforms (as) invulnerable (as possible)" line of thought.
Those technologies (IPS/Anti-virus/HIPS/etc) are the technical equivalent to painting the mold and water stains on your ceiling after a big rain. They may lessen some of the symptoms, but they do not solve the problem.
Obviously I still think that auditing / testing is needed to some extent, but I don't really see the point in spending $200k for someone to rape my network with a bug that I'll never see again.
Interesting choice of words. When we meet with new customers who ask us for a "Penetration Test" we will often take a couple minutes to find out what they really mean. "Do you want us to find as many problems as we can and work with you throughout the engagement, or do you want us to kick you in the nuts?". We have yet to find a customer that really wanted us to just kick them in the nuts. I think that style of testing is going to go away soon. Robert -- Robert E. Lee CEO, Dyad Security, Inc. W - http://www.dyadsecurity.com E - robert () dyadsecurity com M - (949) 394-2033 _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- New presentation is up: 0days: How hacking really works Dave Aitel (Jan 29)
- Re: New presentation is up: 0days: How hacking really works Kevin Ponds (Feb 01)
- Re: New presentation is up: 0days: How hacking really works Tom Parker (Feb 01)
- Re: New presentation is up: 0days: How hacking reallyworks halvar (Feb 01)
- Re: New presentation is up: 0days: How hacking really works robert (Mar 19)
- Re: New presentation is up: 0days: How hacking really works Kevin Ponds (Feb 01)