Re: concerning ~el8 / project mayhem

[Paul Robertson <proberts () patriot net>]

On Mon, 19 Aug 2002, Dave Piscitello wrote:

> I don't get this.

I'll try to explain more...

> If I showed my client that they'd been victim to 25 vulnerabilities, and 
> the cumulative cost of the exploits was $6.4M, I'd get his attention fast.

Victim to isn't even in the picture- what I'm saying is that there's a 
trend in the industry and in business to run up the big numbers to show 
how savvy/good/thorough people/products are.  There's an expectation that, 
for instance a scanner or IDS that detects 1000 attacks is better than one 
which detects 10- even though the presence of those ten may indeed 
indicate the existance of all 1000 (and the fix is the same in almost 
every case.)  

You can, for instance report "Multiple NIMDA attacks," "32 NIMDA attacks," 
or something like "640 Web server attacks."  Does blocking a single Nimda 
event count as blocking one class of attack, one attack, or ~20 
individual attacks?  

> I think the point you might make is that it's comforting for a client who 
> has no security clue to see a large report showing all the many problems 
> his company had *before* you audited its network, and then showing that 
> same client a very much smaller list showing the results of your tireless 
> effort to eliminate the vulnerabilites through patching and re-configuration.

That's part of it, but the other point is that very many of the 
vulnerabilities discovered each year aren't actively exploited, and 
there's a driver for "find and fix billed by the hour" folks to say patch 
1000 *vulnerabilities* instead of upgrading one *product*.  Anyone can 
upgrade say IIS- so companies who spend money with security consultants 
don't necessarily want to see them fixing things their staffs should so 
obviously do rather than something that's not a normal part of their 
admin's duty, or that's so obviously "too much work."

One configuration change nukes .IDA and .IDQ vulnerabilities, so not even 
patching is always necessary- but if you're billing by the hour, there's 
certainly more hours in patching than in dropping a pair of ISAPI mappings.

> "It was dangerous and now it's safe" is much easier for a 3rd party to sell 
> than it is for a security insider to sell "The reason we haven't had an 
> incident in the past 6 months is because we've used our copious security 
> budget to keep the network safe"

That's a part of it, but it should be combined with neither of the vested 
interests want to say "We've been safe from exploitation because 15,000 of 
these vulnerabilites aren't exploited in the real world."

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards