Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: The Threshold of Hackiness

From: Ben Nagy <ben () iagu net>
Date: Thu, 3 Jan 2013 13:47:50 +0545
On Thu, Jan 3, 2013 at 2:27 AM, Paul Johnston
<paul.johnston () pentest co uk> wrote:


1) Script kiddie - Uses public tools and exploits, but does not
understand them, and cannot fix problems
2) Proficient hacker - Uses public tools and exploits, with full
understanding; can tweak tools for unusual scenarios
3) Advanced persistent threat - Has a collection of zero day exploits,
and is able to develop new exploits

Now this gets interesting from a defensive point of view. You can stop 1
and 2 using standard security best practices. But the standard defences
break down when faced by an attacker with zero day exploits.


Usually I just let this kind of stuff blow past me on DD, but since I
am ranting on twitter now I may as well lower my standards.

There should be no difference at all in 'best practices' regarding
attackers armed with 'public' versus 0day exploits. None.

You can't even become aware of all the "public" exploits, let alone
patch fast enough to hope to eliminate all of those vulnerabilities.
Worse - we're not even considering unique systemic vulnerabilities
that you have introduced yourself (SQLi, logic / process flaws etc)
which don't appear in any exploit database. Even worse - users that
are stupid enough to run any fricking thing someone emails them. This
is why pretty much the only pentests that ever fail are ones where all
the amusing stuff has been scoped out; and that's even after you tell
your pentesters they can't use 0day because it's "cheating".

If your design is not predicated around the fact that you will be
(probably already are) owned at some point then it simply cannot be
considered best practice. Work out how to identify compromise, how to
recover from it and how to mitigate the damage that an individual
compromise can cause.

Or just lose, I'm fine either way.

Cheers,

ben
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: