Dailydave mailing list archives
Re: Exploits matter.
From: vincent hinderer <vhinderer () lexsi com>
Date: Thu, 08 Oct 2009 22:30:58 +0200
While I understand the challenge of verifying the existence and nature of commercial exploitation tools, down playing exploits by databases like OSVDB is damaging to the industry and is creating a false sense of security amongst organizations - especially those who charge their security programs to vanilla CISSP's. Case in point - large company runs an automated scanner over their network on a monthly basis, which regularly finds flaws. They prioritize remediation of findings based on CVSS scores, which have been calculated in part through utilizing data from OSVDB. Days, months, weeks later the organization is attacked/audited by a group who paid/stole/borrowed a copy of Canvas/Core/et al. Organization gets owned. I agree. Working these days on patching a 2003 (!) flaw... The past two VzB data breach reports have demonstrated a trend, that a large number of compromises (around 70% if memory serves), resulted from exploitation of vulnerabilities that at time of compromise had been patched by the vendor for a year or more. I'm not sure how you would go about obtaining this kind of data (or indeed how VzB gets their data), but it would be an interesting metric to see how many of those known/vendor-patched issues had been neglected/de-prioritized due to misconceptions about their level of exploitability.
In Verizon report : patch availability at time of attack -between 0,5 to 1 year = 1 -for more than 1 year = 5 (83%) Total of attacks = 6 A relatively small set to draw conclusions though...
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Exploits matter., (continued)
- Re: Exploits matter. security curmudgeon (Oct 07)
- Re: Exploits matter. c0lists (Oct 07)
- Re: Exploits matter. security curmudgeon (Oct 07)
- Re: Exploits matter. c0lists (Oct 07)
- Re: Exploits matter. Matthew Wollenweber (Oct 08)
- Message not available
- Re: Exploits matter. security curmudgeon (Oct 22)
- Message not available
- Re: Exploits matter. security curmudgeon (Oct 08)
- Message not available
- Re: Exploits matter. security curmudgeon (Oct 08)
- Re: Exploits matter. Tom Parker (Oct 08)
- Re: Exploits matter. alexm (Oct 08)
- Re: Exploits matter. vincent hinderer (Oct 08)
- Re: Exploits matter. security curmudgeon (Oct 08)
- Re: Exploits matter. Ilfak Guilfanov (Oct 08)
- Re: Exploits matter. Alexander Sotirov (Oct 08)
- Re: Exploits matter. Jesse Gough (Oct 08)
- Re: Exploits matter. Aaron (Oct 08)