Re: Exploits matter.

[vincent hinderer <vhinderer () lexsi com>]

> >
>
> While I understand the challenge of verifying the existence and nature of
> commercial exploitation tools, down playing exploits by databases like OSVDB
> is damaging to the industry and is creating a false sense of security amongst
> organizations - especially those who charge their security programs to vanilla
> CISSP's. Case in point - large company runs an automated scanner over their
> network on a monthly basis, which regularly finds flaws. They prioritize
> remediation of findings based on CVSS scores, which have been calculated in
> part through utilizing data from OSVDB. Days, months, weeks later the
> organization is attacked/audited by a group who paid/stole/borrowed a copy of
> Canvas/Core/et al. Organization gets owned.
>
> I agree. Working these days on patching a 2003 (!) flaw...
>
> The past two VzB data breach reports have demonstrated a trend, that a large
> number of compromises (around 70% if memory serves), resulted from
> exploitation of vulnerabilities that at time of compromise had been patched by
> the vendor for a year or more. I'm not sure how you would go about obtaining
> this kind of data (or indeed how VzB gets their data), but it would be an
> interesting metric to see how many of those known/vendor-patched issues had
> been neglected/de-prioritized due to misconceptions about their level of
> exploitability.
In Verizon report :
patch availability at time of attack
-between 0,5 to 1 year = 1
-for more than 1 year =  5 (83%)
Total of attacks = 6

A relatively small set to draw conclusions though...

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave