Re: [fw-wiz] An article from Peter Tippett/TruSecure...

From: Paul D. Robertson (
Date: 03/10/03

  • Next message: Symon Thurlow: "RE: [fw-wiz] Microsoft ISA"
    From: "Paul D. Robertson" <>
    To: Chuck Swiger <>
    Date: Sun, 9 Mar 2003 22:22:01 -0500 (EST)

    On Sun, 9 Mar 2003, Chuck Swiger wrote:

    > Date: Sun, 09 Mar 2003 13:49:08 -0500
    > From: Chuck Swiger <>
    > To: 'firewall-wizards <>
    > Subject: [fw-wiz] An article from Peter Tippett/TruSecure...

    [Disclaimer: I work for TruSecure, Dr. Tippett is both our CTO and the
    person I report directly to. Since you didn't comment on the article,
    I'll take a swipe at the tradtional dogma as we tend to see it...]

    > A brief excerpt:
    > "For years, the focus of most security efforts has been centered on
    > identifying and then fixing vulnerabilities in technology. The
    > prevailing belief is that if a hole is found in the IT armor of an
    > organization, it should be fixed immediately before it can be exploited
    > by some cyber-deviant. While this approach sounds logical and
    > effective, it is actually the beginning of a vicious cycle that occupies
    > vast amounts of time and wastes several millions of corporate,
    > government, and consumer dollars every year."

    The point that Peter's making is that chasing vulnerabilities just because
    they exist isn't efficient, nor really achievable. There were ~2200-2400
    new vulnerabilites announced last year, and as near as I can tell,
    between 1 and 2% of those new vulnerabilities got exploited at real companies.

    That means that if you spent time patching say an applicable 70% of those
    vulnerabilities, then 68% of that time was wasted.

    It's purely a risk funciton- and if you have good data on which small
    percentage of new vulnerabilities are going to be exploited and which ones
    have historically been exploited, then you can reduce your risk by
    about the same ammount by patching let's say 5% of those vulnerabilities
    instead of every one.

    That saves you 65% of the maintenance, fixes, "patch breaks things" and all
    the associated change control stuff. If you pay folks overtime, or
    give comp. time for staying late to patch, those can go down significantly
    too- *especially* if you have protections in place that limit damage from a
    particular vector for long enough between vulnerability disclosure,
    exploit coding and a normal maintenance cycle.

    Proactive security beats reactive security every time. Patch upon
    vulnerability release is reactive. Things like firewalls and conservative
    machine configuration can reduce patching levels for attacks from likely
    vectors without negatively changing an organization's risk profile.
    Indeed, there's an argument that if people spend more time on the likely
    vulnerabilities, they'll be able to better-protect an organization than if
    they spend time patching every possible vulnerability.

    I've got excellent data for widespread worms like SQL/Slammer and NIMDA,
    and a good feel for the results of target of choice attacks. That risks
    putting this too far into the "sounds like a commercial" mode though, so
    I'll just leave it at "smart risk-based patching beats blanket patching
    for effieciency with little measurable change in risk."

    Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact." Director of Risk Assessment TruSecure Corporation

    firewall-wizards mailing list

  • Next message: Symon Thurlow: "RE: [fw-wiz] Microsoft ISA"