IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Definition of Zero Day Protection

From: "Stephen P. Berry" <spb () meshuggeneh net>
Date: Thu, 12 Aug 2004 16:14:45 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


David Maynor writes:


Generic methods for 0day protection, like hooking functions called
by shellcode, will always fail.


Well, any generic method someone is trying to sell you will always fail.
Here's a generic method that prevents zero-day exploits (for just about
any value of `zero-day'):

        -Deny all

The upgraded version of this strategy (where `upgrade' here is defined
in the marketing sense of `more useable, more broken'):

        -Default deny all
        -Permit only what is known good
        -When you're architecting the points of exposure first think
         about containment.  Then give some thought to containment.  Finally,
         worry about containment

In other words, a successful `zero-day' protection strategy really looks
an awful lot like a successful infosec strategy in general:  rely on
what you've designed into the system, not what you're expecting some
vendor to miracle into it after it's deployed.




- -spb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (OpenBSD)

iD8DBQFBG/nKG3kIaxeRZl8RAlnKAJ4+FWjwbOUXYx2y5CxzSpd39RNkQgCfZSOu
3OFjSMTmmtC1X1gF9UfscSY=
=p5wb
-----END PGP SIGNATURE-----

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: