Dailydave mailing list archives

Re: New presentation is up: 0days: How hacking really works

From: Kevin Ponds <kponds () gmail com>
Date: Tue, 1 Feb 2005 08:44:38 -0600

Excellent presentation.

One thing that I've been turning over in my mind, and hopefully should
bring up a decent discussion is this:

Assume the not-so-distant future (or present) is ruled by 0day, which
I totally agree with you on.  What is the value-added from
pen-testing/auditing?

Pretend I'm a large enterprise, and there are 45 0days that effect my
network that are known by different hackers around the globe.  I shell
out a fair load of cash for a pen-test from some security consultancy,
who promptly own my network with their three 0days that they've home
grown.  What have I gained from this?

-No one could know about the vulnerabilities except the guys I just hired.
-If they do, there are tons more vulnerabilities out there that the
guys that I hired have never heard of.
-If I get attacked with 0day, what are the chances that it will have
been one of the 0days that I tested with?  In our simulation, 3/45 at
best (best meaning that all of the tested vulnerabilities are known by
the underground).

Do you see a future where pen-tests are limited to automated systems
scanning for non 0day (just to make sure), and in-house sweeps with
known 0day (such as using CANVAS, which is inarguably less expensive
than hiring a pen-test team)?

I personally see the money that's being thrown into pen-tests going
into secure platforms, such as stack protectors, HIDS, better IDS
technology, etc.  "We know we're vulnerable to 0day so we're going to
make our platforms (as) invulnerable (as possible)" line of thought.

Obviously I still think that auditing / testing is needed to some
extent, but I don't really see the point in spending $200k for someone
to rape my network with a bug that I'll never see again.


On Thu, 30 Dec 2004 13:55:38 -0500, Dave Aitel <dave () immunitysec com> wrote:

http://www.immunitysec.com/resources-papers.shtml

-dave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

New presentation is up: 0days: How hacking really works Dave Aitel (Jan 29)
- Re: New presentation is up: 0days: How hacking really works Kevin Ponds (Feb 01)
  - Re: New presentation is up: 0days: How hacking really works Tom Parker (Feb 01)
    - Re: New presentation is up: 0days: How hacking really works pete (Feb 01)
  - Re: New presentation is up: 0days: How hacking reallyworks halvar (Feb 01)
  - Re: New presentation is up: 0days: How hacking really works robert (Mar 19)