Dailydave mailing list archives

Re: Faster, smashter.

From: rauc <michael () mastergeek com>
Date: Tue, 09 Dec 2008 09:44:40 +1300

"Mr. Markoff is trying to tell us that the defenders are losing the
battle. But if they are, it's because they *chose* to. Hackers use 0day
and always have. The defenders are off making millions selling things
that don't work against 0day."

Whilst attackers do certainly use 0day, they also use the easiest
mechanism they can to gain access or steal information. For example, why
waste your valuable 0day when your target has an un-patched system, or
their Citrix server has an admin password that is easily guessed?

0days are extremely important, but not at the expense of covering the
known vulnerabilities. A sound patching practice may not help with the
0days, but it will certainly help with the easier stuff that has already
been put into a tool for any monkey to use.

0days are a huge unknown in the enterprise. Even many of the largest of
companies do not have the intellectual resources to address them, nor is
it likely that they will ever get approval to increase headcount for
something that is so intangible to management. (Governments being
excepted. If they can afford huge bail-outs, they can afford this.) This
being the case, a a non-government enterprise should consider the
following to help protect from a 0day:

1) Ensure people in the security team are passionate about security, and
do research in their own time, and stay active in the community. If they
do not have a passion for it, they will never really help the company. I
don't need a <insert certification here> who will come to work at 9am
and leave at 5pm, and not try to learn more on his own time.

2) Build your applications, networks, and systems with the realisation
that they will be compromised. Try to contain the breach that could
happen.

3) Partner with organisations that are doing the research. Only hire the
best for a penetration test or code review.

4) Buy 0days

5) Baseline system and network behaviour. Analyse any abnormal
behaviour. (Easier said than done. You may never see anything.)

6) Profit



_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: Faster, smashter., (continued)
- Re: Faster, smashter. Fisher, Dennis (Dec 08)
  - Re: Faster, smashter. Dragos Ruiu (Dec 08)
    - Re: Faster, smashter. Halvar Flake (Dec 09)
    - Re: Faster, smashter. Dave Aitel (Dec 09)
    - Re: Faster, smashter. Rafal @ IsHackingYou.com (Dec 09)
    - Re: Faster, smashter. dan (Dec 09)
    - Re: Faster, smashter. Marc Maiffret (Dec 10)
    - Re: Faster, smashter. Halvar Flake (Dec 09)
    - Re: Faster, smashter. security curmudgeon (Dec 09)
    - Re: Faster, smashter. Jon Passki (Dec 09)
- Re: Faster, smashter. rauc (Dec 08)