Firewall Wizards mailing list archives
Re: concerning ~el8 / project mayhem
From: Paul Robertson <proberts () patriot net>
Date: Mon, 19 Aug 2002 14:49:45 -0400 (EDT)
On Mon, 19 Aug 2002, Dave Piscitello wrote:
I don't get this.
I'll try to explain more...
If I showed my client that they'd been victim to 25 vulnerabilities, and the cumulative cost of the exploits was $6.4M, I'd get his attention fast.
Victim to isn't even in the picture- what I'm saying is that there's a trend in the industry and in business to run up the big numbers to show how savvy/good/thorough people/products are. There's an expectation that, for instance a scanner or IDS that detects 1000 attacks is better than one which detects 10- even though the presence of those ten may indeed indicate the existance of all 1000 (and the fix is the same in almost every case.) You can, for instance report "Multiple NIMDA attacks," "32 NIMDA attacks," or something like "640 Web server attacks." Does blocking a single Nimda event count as blocking one class of attack, one attack, or ~20 individual attacks?
I think the point you might make is that it's comforting for a client who has no security clue to see a large report showing all the many problems his company had *before* you audited its network, and then showing that same client a very much smaller list showing the results of your tireless effort to eliminate the vulnerabilites through patching and re-configuration.
That's part of it, but the other point is that very many of the vulnerabilities discovered each year aren't actively exploited, and there's a driver for "find and fix billed by the hour" folks to say patch 1000 *vulnerabilities* instead of upgrading one *product*. Anyone can upgrade say IIS- so companies who spend money with security consultants don't necessarily want to see them fixing things their staffs should so obviously do rather than something that's not a normal part of their admin's duty, or that's so obviously "too much work." One configuration change nukes .IDA and .IDQ vulnerabilities, so not even patching is always necessary- but if you're billing by the hour, there's certainly more hours in patching than in dropping a pair of ISAPI mappings.
"It was dangerous and now it's safe" is much easier for a 3rd party to sell than it is for a security insider to sell "The reason we haven't had an incident in the past 6 months is because we've used our copious security budget to keep the network safe"
That's a part of it, but it should be combined with neither of the vested interests want to say "We've been safe from exploitation because 15,000 of these vulnerabilites aren't exploited in the real world." Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: concerning ~el8 / project mayhem, (continued)
- Message not available
- Re: concerning ~el8 / project mayhem Dave Piscitello (Aug 22)
- Re: concerning ~el8 / project mayhem Adam Shostack (Aug 23)
- Message not available
- Re: concerning ~el8 / project mayhem Marcus J. Ranum (Aug 17)
- Re: concerning ~el8 / project mayhem Paul D. Robertson (Aug 18)
- RE: concerning ~el8 / project mayhem Bill Royds (Aug 18)
- Re: concerning ~el8 / project mayhem Barney Wolff (Aug 18)
- Re: concerning ~el8 / project mayhem Paul D. Robertson (Aug 19)
- Re: concerning ~el8 / project mayhem Barney Wolff (Aug 19)
- Re: concerning ~el8 / project mayhem Darren Reed (Aug 18)
- Message not available
- Re: concerning ~el8 / project mayhem Dave Piscitello (Aug 19)
- Re: concerning ~el8 / project mayhem Paul Robertson (Aug 19)
- Re: concerning ~el8 / project mayhem Tina Bird (Aug 19)
- Re: concerning ~el8 / project mayhem Adam Shostack (Aug 19)
- Re: concerning ~el8 / project mayhem Nate Campi (Aug 19)
- Re: concerning ~el8 / project mayhem Barney Wolff (Aug 19)
- Re: concerning ~el8 / project mayhem Crispin Cowan (Aug 23)