Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes)

["Paul Melson" <pmelson () gmail com>]

>  The solution, of course, is to focus only on the high end risk, rather
than assuming you have to climb 
> up the risk chain from the bottom. IMHO, of course. I don't work for the
USG and haven't for a long 
> time. But if you're focusing on patch and configuration compliance and
your most likely opponents don't 
> care then you gotta assume something's broken. Invest the majority of your
cash in vulnerability 
> research and hacking and leave the compliance management for later.
Sometimes the best defense is a good 
> offense, and with hacking that's nearly always true. 

Dave, I think you're mistaking "high end" risk for high risk.  It's a silly
suggestion that companies shouldn't acquire patch management capabilities,
but instead focus on finding vulnerabilities in the products they rely on so
they can... what?  Know just how screwed they are?

Historically speaking, the "killer" bugs of the late 90s and early 2K's were
patched by vendors before the worms hit.  This may never happen again since
Microsoft has made patch management easier for their customers, but the only
reason it wouldn't happen again is because Microsoft made patch management
easier for their customers.

I hope you're not actually telling clients (especially ones that spend US
tax dollars) that they should walk away from WSUS to spend time fuzzing
every COTS app they've got looking for 0days.

PaulM

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave