Re: [fw-wiz] An article from Peter Tippett/TruSecure...
From: yossarian (yossarian@planet.nl)
Date: 03/11/03
- Previous message: Paul Robertson: "Re: [fw-wiz] An article from Peter Tippett/TruSecure..."
- In reply to: Barney Wolff: "Re: [fw-wiz] An article from Peter Tippett/TruSecure..."
- Next in thread: Paul D. Robertson: "Re: [fw-wiz] An article from Peter Tippett/TruSecure..."
- Reply: Paul D. Robertson: "Re: [fw-wiz] An article from Peter Tippett/TruSecure..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "yossarian" <yossarian@planet.nl> To: "'firewall-wizards" <firewall-wizards@honor.icsalabs.com> Date: Tue, 11 Mar 2003 02:42:00 +0100
> On Sun, Mar 09, 2003 at 10:22:01PM -0500, Paul D. Robertson wrote:
> >
> > The point that Peter's making is that chasing vulnerabilities just
because
> > they exist isn't efficient, nor really achievable. There were
~2200-2400
> > new vulnerabilites announced last year, and as near as I can tell,
> > between 1 and 2% of those new vulnerabilities got exploited at real
companies.
Considering that only a VERY small minority of incidents gets noticed (a
researcher said it was somewhere between 2 and 5% at best) and of that, many
are not investigated - lack o'funds or skills -.So who knows which ones get
exploited? Can he read this in a crystal bowlie? Surely he is the only
person who knows.
> > That means that if you spent time patching say an applicable 70% of
those
> > vulnerabilities, then 68% of that time was wasted.
Depends on the systems - much patching can be done easily, unless you object
to push updates, as some people seem to do. In my experience, 90% can be
done remotely, and if you have some standardization, this is very easy.
> > It's purely a risk funciton- and if you have good data on which small
> > percentage of new vulnerabilities are going to be exploited and which
ones
> > have historically been exploited, then you can reduce your risk by
> > about the same ammount by patching let's say 5% of those vulnerabilities
> > instead of every one.
Like I said - no one has this supposedly 'Good Data'. If SANS claims that
patching the top 20 is 80% of security, which is a favorite rule of thumb
for the pointy hairs (does sound 20 - 80 rule), just maybe you could be true
secure. SANS doesn't. But if you look at the top 20, you'd see that it isn't
20 holes: W1 = 3 kinds of IIS vulns: Unicode like, sample apps and buffer
overflows. This just might be a substantial number of patches, and a lot of
testing. It lists 25 known issues for W1 alone. Many of them are not
singular vulns.
> > That saves you 65% of the maintenance, fixes, "patch breaks things" and
all
> > the associated change control stuff. If you pay folks overtime, or
> > give comp. time for staying late to patch, those can go down
significantly
> > too- *especially* if you have protections in place that limit damage
from a
> > particular vector for long enough between vulnerability disclosure,
> > exploit coding and a normal maintenance cycle.
Yep - this is what it all boils down to: Sales Pitch Alert: Security Comes
Cheap. It goes something like this: The Return On Security Investment unique
approach yada 13 years experience yada flexible unlike most standards. I
think the 'protections in place' will probably be a FW - but if it helps you
thru the window of vulnerability, it will just as well get you thru the time
after the fix.
Look at my SANS w1 example: these savings are just not going to happen.
> I also question the notion that keeping up requires patching 70%
> of 2200-2400 vulnerabilities. If you have a myriad of different
> systems or apps *exposed* you've taken diversity beyond sanity.
Well, keeping up with the Top 20 will not help much at all, since it is
hosts in a LAN only. If these Windoze and *nix hosts are connected directly
to the outside world, the Top 20 might fix some holes. But if they are thus
exposed, the biggest hole is between the ears. In the list no FW's, no
routers, but fixing SNMP is in the list - as if the fw lets 161 pass.....
Unless the attackers are already ON your network.
My guess is that Mr. P. is trying to sell something, but before bloat he
really should do his homework.
> Barney Wolff http://www.databus.com/bwresume.pdf
> I'm available by contract or FT, in the NYC metro area or via the 'Net.
Good job hunt, Mr. Wolff
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Paul Robertson: "Re: [fw-wiz] An article from Peter Tippett/TruSecure..."
- In reply to: Barney Wolff: "Re: [fw-wiz] An article from Peter Tippett/TruSecure..."
- Next in thread: Paul D. Robertson: "Re: [fw-wiz] An article from Peter Tippett/TruSecure..."
- Reply: Paul D. Robertson: "Re: [fw-wiz] An article from Peter Tippett/TruSecure..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
