Re: [fw-wiz] concerning ~el8 / project mayhem

From: Paul Robertson (
Date: 08/19/02

From: Paul Robertson <>
To: Dave Piscitello <>
Date: Mon Aug 19 14:43:02 2002

On Mon, 19 Aug 2002, Dave Piscitello wrote:

> I don't get this.

I'll try to explain more...

> If I showed my client that they'd been victim to 25 vulnerabilities, and
> the cumulative cost of the exploits was $6.4M, I'd get his attention fast.

Victim to isn't even in the picture- what I'm saying is that there's a
trend in the industry and in business to run up the big numbers to show
how savvy/good/thorough people/products are. There's an expectation that,
for instance a scanner or IDS that detects 1000 attacks is better than one
which detects 10- even though the presence of those ten may indeed
indicate the existance of all 1000 (and the fix is the same in almost
every case.)

You can, for instance report "Multiple NIMDA attacks," "32 NIMDA attacks,"
or something like "640 Web server attacks." Does blocking a single Nimda
event count as blocking one class of attack, one attack, or ~20
individual attacks?

> I think the point you might make is that it's comforting for a client who
> has no security clue to see a large report showing all the many problems
> his company had *before* you audited its network, and then showing that
> same client a very much smaller list showing the results of your tireless
> effort to eliminate the vulnerabilites through patching and re-configuration.

That's part of it, but the other point is that very many of the
vulnerabilities discovered each year aren't actively exploited, and
there's a driver for "find and fix billed by the hour" folks to say patch
1000 *vulnerabilities* instead of upgrading one *product*. Anyone can
upgrade say IIS- so companies who spend money with security consultants
don't necessarily want to see them fixing things their staffs should so
obviously do rather than something that's not a normal part of their
admin's duty, or that's so obviously "too much work."

One configuration change nukes .IDA and .IDQ vulnerabilities, so not even
patching is always necessary- but if you're billing by the hour, there's
certainly more hours in patching than in dropping a pair of ISAPI mappings.

> "It was dangerous and now it's safe" is much easier for a 3rd party to sell
> than it is for a security insider to sell "The reason we haven't had an
> incident in the past 6 months is because we've used our copious security
> budget to keep the network safe"

That's a part of it, but it should be combined with neither of the vested
interests want to say "We've been safe from exploitation because 15,000 of
these vulnerabilites aren't exploited in the real world."

Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact." Director of Risk Assessment TruSecure Corporation

Relevant Pages