Re: CISSP quote of the week

[Robert <immunity () dyadsecurity com>]

On Mon, 10 Apr 2006 19:01:12 +0100
"Dave Korn" <dave.korn () artimi com> wrote:
>   Now, if you were talking about the majority of sigma(attack frequency *
> attack seriousness), i.e. if you're talking about a weighted majority, I could
> get that.  So, maybe you mean the majority of *successful* attacks in the
> wild, or the majority of *newly-emerging* attacks in the wild, or
> *non-trivial* attacks, or .... ?  Or am I just not seeing the angle you're
> coming from?

Can't speak for Dave, but I believe he was saying it's really hard to quantify something that can't be measured.  If 
you don't know what the attack looks like, you can't measure how often that attack happens.  The vocal folks in the US 
security industy seem to talk mostly about well known vulnerabilities that are used in large scale automated attacks.  
This is why anti-virus/ids/ips/fw products sell well.  We have very few people talking about solutions for targeted 
attacks.

I've had a conversation on another forum:
http://spiresecurity.typepad.com/spire_security_viewpoint/2006/03/somebody_forgot.html
http://spiresecurity.typepad.com/spire_security_viewpoint/2006/03/why_bugfinding_.html
http://spiresecurity.typepad.com/spire_security_viewpoint/2006/03/more_on_bugfind.html

Oh, also of note... the "guy" ("guy" term found in story at 
http://blog.washingtonpost.com/securityfix/2006/04/multios_virus_emerges.html) is Anthony de Almeida Lopes of Dyad 
Security .  You can read more about what he's really talking about here: http://www.recon.cx/en/s/alopez.html

Robert

-- 
Robert E. Lee
CIO, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - robert () dyadsecurity com
M - (949) 394-2033