Full Disclosure mailing list archives
Re: Absolute Sownage (A concise history of recent Sony hacks)
From: Valdis.Kletnieks () vt edu
Date: Wed, 15 Jun 2011 12:16:43 -0400
On Tue, 14 Jun 2011 19:42:37 PDT, coderman said:
consider it this way: when programming the "weird machine" to do your bidding some vectors to vuln are context-agnostic and readily repeatable. (the 95%) the other 5% are present in the specific configuration or context of system under attack and thus require actual technical ability and insight to traverse the vuln vectors. (or exploit chain, or attack tree, or whatever you want to call it.) cover the 95% and you won't be an HBGary, Sony, LulzSec target. however, don't interpret this as evidence you can't get hacked six ways to sunday by someone with the skillz.
And there's the flip side of it - there's some 140+ million .com's out there. For the vast majority of them, covering the 95% is in fact sufficient, because they are *so* small that it's probably safe to bet that everybody with actual skillz is too busy hitting more valuable targets to bother whacking them. After all, how many black hats with skillz will spend 3-4 days figuring out how to whack Billy Bob's Bait, Tackle and Cell Phones and make maybe a few hundred dollars, when they can go whack something in the 95% range in a short afternoon and make 10 times as much? Yes, you're still technically vulnerable, but at some point you really need to give up the paranoia and get on with your actual business. Security is all about tradeoffs - it may make more sense to say "We got 10K customers, *if* we get whacked we just apologize, spend $25K on credit card monitoring services for them, and get on with our business". If you figure on a 10% chance of getting whacked, that's an average expected expense of only $2,500 a year. How fast can you burn through $2500 trying to secure that last 5%?
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Absolute Sownage (A concise history of recent Sony hacks), (continued)
- Re: Absolute Sownage (A concise history of recent Sony hacks) Nick FitzGerald (Jun 10)
- Re: Absolute Sownage (A concise history of recent Sony hacks) mrx (Jun 10)
- Re: Absolute Sownage (A concise history of recent Sony hacks) Valdis . Kletnieks (Jun 10)
- Re: Absolute Sownage (A concise history of recent Sony hacks) Georgi Guninski (Jun 10)
- Re: Absolute Sownage (A concise history of recent Sony hacks) Nick FitzGerald (Jun 11)
- Re: Absolute Sownage (A concise history of recent Sony hacks) Bruce Ediger (Jun 12)
- Re: Absolute Sownage (A concise history of recent Sony hacks) Thor (Hammer of God) (Jun 12)
- Re: Absolute Sownage (A concise history of recent Sony hacks) Georgi Guninski (Jun 12)
- Re: Absolute Sownage (A concise history of recent Sony hacks) Nick FitzGerald (Jun 10)
- Re: Absolute Sownage (A concise history of recent Sony hacks) Sihan (Jun 11)
- Re: Absolute Sownage (A concise history of recent Sony hacks) coderman (Jun 14)
- Re: Absolute Sownage (A concise history of recent Sony hacks) Valdis . Kletnieks (Jun 16)
- Re: Absolute Sownage (A concise history of recent Sony hacks) coderman (Jun 16)
- Re: Absolute Sownage (A concise history of recent Sony hacks) mrx (Jun 16)