Re: [fw-wiz] An article from Peter Tippett/TruSecure...
From: Barney Wolff (barney@pit.databus.com)
Date: 03/11/03
- Previous message: Bill Royds: "Re: [fw-wiz] An article from Peter Tippett/TruSecure..."
- In reply to: Paul D. Robertson: "Re: [fw-wiz] An article from Peter Tippett/TruSecure..."
- Next in thread: Paul Robertson: "Re: [fw-wiz] An article from Peter Tippett/TruSecure..."
- Reply: Paul Robertson: "Re: [fw-wiz] An article from Peter Tippett/TruSecure..."
- Reply: yossarian: "Re: [fw-wiz] An article from Peter Tippett/TruSecure..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Barney Wolff <barney@pit.databus.com> To: "Paul D. Robertson" <proberts@patriot.net> Date: Mon, 10 Mar 2003 18:48:55 -0500
On Sun, Mar 09, 2003 at 10:22:01PM -0500, Paul D. Robertson wrote:
>
> The point that Peter's making is that chasing vulnerabilities just because
> they exist isn't efficient, nor really achievable. There were ~2200-2400
> new vulnerabilites announced last year, and as near as I can tell,
> between 1 and 2% of those new vulnerabilities got exploited at real companies.
>
> That means that if you spent time patching say an applicable 70% of those
> vulnerabilities, then 68% of that time was wasted.
>
> It's purely a risk funciton- and if you have good data on which small
> percentage of new vulnerabilities are going to be exploited and which ones
> have historically been exploited, then you can reduce your risk by
> about the same ammount by patching let's say 5% of those vulnerabilities
> instead of every one.
>
> That saves you 65% of the maintenance, fixes, "patch breaks things" and all
> the associated change control stuff. If you pay folks overtime, or
> give comp. time for staying late to patch, those can go down significantly
> too- *especially* if you have protections in place that limit damage from a
> particular vector for long enough between vulnerability disclosure,
> exploit coding and a normal maintenance cycle.
This strategy might work against script kiddies, but is sure to fail
against an attacker who knows you're using it!
I also question the notion that keeping up requires patching 70%
of 2200-2400 vulnerabilities. If you have a myriad of different
systems or apps *exposed* you've taken diversity beyond sanity.
-- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Bill Royds: "Re: [fw-wiz] An article from Peter Tippett/TruSecure..."
- In reply to: Paul D. Robertson: "Re: [fw-wiz] An article from Peter Tippett/TruSecure..."
- Next in thread: Paul Robertson: "Re: [fw-wiz] An article from Peter Tippett/TruSecure..."
- Reply: Paul Robertson: "Re: [fw-wiz] An article from Peter Tippett/TruSecure..."
- Reply: yossarian: "Re: [fw-wiz] An article from Peter Tippett/TruSecure..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
