Dailydave mailing list archives

Re: CISSP quote of the week

From: Pusscat <pusscat () gmail com>
Date: Tue, 11 Apr 2006 08:11:29 -0400

I think by "real" he meant the majority of attacks which take place against
a specific target for a specific reason, as opposed to a "hit it cause it's
there and vulnerable" sort of aimless attack.

It's almost the distinction between random maliciousness, and a directed
strike aimed at achieving a specific goal. Very rarely do we see an attack
carried out to actually compromise a system for a specific reason making use
of a "known" exploit. The assumption you make when using a well-known
exploit is that the machine is not important enough to be watched in any
meaningful way, which is why it's still vulnerable in the first place.


On 4/10/06 2:01 PM, "Dave Korn" <dave.korn () artimi com> wrote:

On 10 April 2006 18:34, Dave Aitel wrote:

- From Focus-IDS, which has the highest CISSP density of any known
mailing list comes our CISSP QUOTE OF THE WEEK!
****
"Also, the majority of attacks in the wild are well-known and easily
detected and blocked. "
****

I'm going to go out on a limb here and say that the majority of real
attacks in the wild are probably 0days or difficult to detect or
block.



  Well, you're going to need to define "real" /very/ carefully for that to be
strictly true.  Five nines of all attacks are still automated netbios worms,
aren't they?  They're "real" attacks in the sense that they genuinely do
attack and genuinely do succeed in really owning lots of real boxen.  If it
had been me[*], I would have worded it more like

****
"Also, the majority of attacks in the wild are


... running over port 445 or 135-139 and hence trivial to detect and defeat. "


  Now, if you were talking about the majority of sigma(attack frequency *
attack seriousness), i.e. if you're talking about a weighted majority, I could
get that.  So, maybe you mean the majority of *successful* attacks in the
wild, or the majority of *newly-emerging* attacks in the wild, or
*non-trivial* attacks, or .... ?  Or am I just not seeing the angle you're
coming from?


    cheers,
      DaveK

[*] - but you wouldn't catch me hanging out somewhere with that many CISSPs,
I'm so low-density-CISSP that the reverse osmotic pressure would propel me
straight out of there at high speed just like a seed out of an electric
grape...


~ Puss

Current thread:

CISSP quote of the week Dave Aitel (Apr 10)
- Re: CISSP quote of the week Paul Wouters (Apr 10)
  - Re: CISSP quote of the week listlurker (Apr 11)
- RE: CISSP quote of the week Dave Korn (Apr 11)
  - Re: CISSP quote of the week Pusscat (Apr 11)
- <Possible follow-ups>
- RE: CISSP quote of the week Des (Apr 11)
- Re: CISSP quote of the week Robert (Apr 11)