Re: An article from Peter Tippett/TruSecure...

[Barney Wolff <barney () pit databus com>]

On Sun, Mar 09, 2003 at 10:22:01PM -0500, Paul D. Robertson wrote:
> The point that Peter's making is that chasing vulnerabilities just because 
> they exist isn't efficient, nor really achievable.  There were ~2200-2400 
> new vulnerabilites announced last year, and as near as I can tell, 
> between 1 and 2% of those new vulnerabilities got exploited at real companies.
>
> That means that if you spent time patching say an applicable 70% of those 
> vulnerabilities, then 68% of that time was wasted.  
>
> It's purely a risk funciton- and if you have good data on which small 
> percentage of new vulnerabilities are going to be exploited and which ones 
> have historically been exploited, then you can reduce your risk by 
> about the same ammount by patching let's say 5% of those vulnerabilities 
> instead of every one.  
>
> That saves you 65% of the maintenance, fixes, "patch breaks things" and all 
> the associated change control stuff.  If you pay folks overtime, or 
> give comp. time for staying late to patch, those can go down significantly 
> too- *especially* if you have protections in place that limit damage from a 
> particular vector for long enough between vulnerability disclosure, 
> exploit coding and a normal maintenance cycle.

This strategy might work against script kiddies, but is sure to fail
against an attacker who knows you're using it!

I also question the notion that keeping up requires patching 70%
of 2200-2400 vulnerabilities.  If you have a myriad of different
systems or apps *exposed* you've taken diversity beyond sanity.

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards