Dailydave mailing list archives
Soap and showers
From: Dave Aitel <dave () immunityinc com>
Date: Fri, 26 Sep 2014 13:39:09 -0400
So most of the bash bug solutions I've seen/talked to people about look at "Vulnerability Management" as just that: essentially an extension to your patching program. But in this case, nearly every machine is vulnerable. However, almost NO machines pose a real risk. Everyone has soap in their shower, and yet so few people slip to their death in the morning! This weird dichotomy between things that are vulnerable, and things that are at risk, is a real problem with the bash bug and right now it's being solved with consulting hours for most people. How do you go to the SEC and say "90% of our infrastructure is vulnerable"? Answer: You don't. Your Vulnerability Management tools is worthless right now. An authenticated or credentialed scan with a Vulnerability Management tool has always had this issue. Nobody knows whether they are in fact at risk for any issue found with that scan! Perhaps your AV protects you? Perhaps that port is blacklisted with the HIDS and nobody can touch it. But the bash bug really highlights this in a way that drives it home to executives, we've found. Basically, with external anonymous scanning you have a high false positive rate. That's bad. But with credentialed scanning, you have no false positives, but also a very low confidence that the results are meaningful. This is even worse, in some cases. ("Oh you wanted vulnerabilities that MATTERED? That's Risk Management, and it's extra!") Such a strange thing. -dave
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Soap and showers Dave Aitel (Sep 26)
- Re: Soap and showers Ron Gula (Sep 29)