Dailydave mailing list archives
Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes)
From: "Matt Richard" <matt.richard () gmail com>
Date: Wed, 15 Nov 2006 14:03:04 -0500
On 11/14/06, Siim Põder <windo () p6drad-teel net> wrote:
Yo! Daniel wrote:David: your IIS 6.0 is vulnerable to a unpublished, unknown vulnerability CSO: So what do we do David?? David: secure your network CSO: How? David: ???? CSO: Microsoft has no patch for this, they cannot help. I've paid you to do an assessment, what is the risk of the vulnerability versus the loss of business if I have to shut down our front-end trading system
<snip>
There is stuff you can (and should) do beyond patching known holes. You never know wether there are unknown vulnerabilities in some part of your system - so you could run your httpd in chroot, stripping it's privileges to the minimum and monitoring what it does. Then you could isolate it on the network and firewall connections to and from it.
I think the real point here is that the majority of people responsible for security have a backwards mindset. Most security practitioners still don't make the assumption that everything is vulnerable and design around it. Of course IIS is vulnerable to an unpublished 0day. Maybe somebody already found it or maybe it'll happen next week. When you start with the assumption that every application and device has major holes that haven't been discovered or disclosed you create a totally different architecture than when you assume it's good until proven bad. In this case I somewhat agree with Dave - assume that your opponent is smarter, more persistent and more creative than you could ever be. What would you do different? Would patching known vulnerabilities in thousands of end user desktops be your #1 priority or would you devote more time to creatively protecting your most valuable assets? -- Matt Richard _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes), (continued)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Tito Villalobos (Nov 13)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Pete Herzog (Nov 13)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Steve Manzuik (Nov 13)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Paul Melson (Nov 13)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Steve Manzuik (Nov 13)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Olef Anderson (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Nicolas RUFF (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) David Maynor (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Daniel (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Siim Põder (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Matt Richard (Nov 15)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) dan (Nov 16)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Rhys Kidd (Nov 16)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Matt Richard (Nov 16)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Dave Aitel (Nov 16)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Tito Villalobos (Nov 13)