RE: CISSP quote of the week

["Dave Korn" <dave.korn () artimi com>]

On 10 April 2006 18:34, Dave Aitel wrote:

> - From Focus-IDS, which has the highest CISSP density of any known
> mailing list comes our CISSP QUOTE OF THE WEEK!
> ****
> "Also, the majority of attacks in the wild are well-known and easily
> detected and blocked. "
> ****
>
> I'm going to go out on a limb here and say that the majority of real
> attacks in the wild are probably 0days or difficult to detect or
> block. 


  Well, you're going to need to define "real" /very/ carefully for that to be
strictly true.  Five nines of all attacks are still automated netbios worms,
aren't they?  They're "real" attacks in the sense that they genuinely do
attack and genuinely do succeed in really owning lots of real boxen.  If it
had been me[*], I would have worded it more like

> ****
> "Also, the majority of attacks in the wild are 

... running over port 445 or 135-139 and hence trivial to detect and defeat. "


  Now, if you were talking about the majority of sigma(attack frequency *
attack seriousness), i.e. if you're talking about a weighted majority, I could
get that.  So, maybe you mean the majority of *successful* attacks in the
wild, or the majority of *newly-emerging* attacks in the wild, or
*non-trivial* attacks, or .... ?  Or am I just not seeing the angle you're
coming from?


    cheers,
      DaveK

[*] - but you wouldn't catch me hanging out somewhere with that many CISSPs,
I'm so low-density-CISSP that the reverse osmotic pressure would propel me
straight out of there at high speed just like a seed out of an electric
grape...
-- 
Can't think of a witty .sigline today....