lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <405F64FD.5060108@bastille-linux.org> From: jay at bastille-linux.org (Jay Beale) Subject: When do exploits get used? Luke Scharf wrote: >On Mon, 2004-03-22 at 14:46, Paul Schmehl wrote: > > >>To think otherwise is foolish, as I said. If one isn't paranoid, one >>probably doesn't belong in the security field. If you're sitting back >>thinking you're safe because you're patched and you patch quickly, then >>you're unalert and exposed. >> >> > >Patching, passwords, and basic-permissions *are*, however, the 10% of >the work that gets 90% of the benefit. All the stuff that we get >excited about here is just icing on the cake. > > I think you're going to quickly change your mind as soon as the first 0-day worm comes out. All the patching in the world doesn't save us if the attackers ever get a widely-used exploit against a non-public vulnerability. At that point, internal firewalling and system hardening, to say the least, take center stage. (Of course, you could add to these, or potentially replace these with, some particular host-based intrusion prevention/kernel modification solutions, but I'll leave that one alone for now.) The day of the 0-day worm is coming, or at least the close-enough-to-0-day worm, that organizations that do patch often will still get badly compromised. This basically comes down to a question of windows of vulnerability. Your window of vulnerability to a given exploit comes down to the sum of three time windows: 1) The time that an exploit exists before the vendor has learned of the vuln and begun preparing the patch. ( 0 days to N years) 2) The time that the vendor spends researching, preparing and testing a patch. ( 1 day to 9 months, probably about 2 days or more.) 3) The time in which a patch is available and you haven't yet deployed it. First, remember that you have no control over time window 1 and little over time window 2. Time window 3 for the most attentive organizations seems to be around 1 day on non-critical systems and 3 days on critical systems. The averages are probably around 1 month for both types of systems. If you're in this best set of organizations, potentially spending major manpower on vetting and installing patches, you've still got a decent window of vulnerability. It's at least an hour/day (from #3) along with a few days or more from #1 and #2. Patching isn't really 90%. It seems like that because organizations still aren't keeping up with patches and thus don't know what would have happened if they had. It seems like that because we're not getting caught in the first two parts of our windows of vulnerability that often just yet. If a worm comes out in time window 1 or 2, your 1-hour patch turnaround won't save you. You may find this discussion academic. But the exploit writers and the worm writers are getting faster. And that's what should scare us into moving beyond patches. That's what should get us moving to better network and host configurations. That's what should get us to evaluate patching as, at most, the easy, but most critical, 50%. Of course, I could be wrong. - Jay >-Luke > > >
Powered by blists - more mailing lists