[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <11033.1308154603@turing-police.cc.vt.edu>
Date: Wed, 15 Jun 2011 12:16:43 -0400
From: Valdis.Kletnieks@...edu
To: coderman <coderman@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Absolute Sownage (A concise history of recent
Sony hacks)
On Tue, 14 Jun 2011 19:42:37 PDT, coderman said:
> consider it this way: when programming the "weird machine" to do your
> bidding some vectors to vuln are context-agnostic and readily
> repeatable. (the 95%)
>
> the other 5% are present in the specific configuration or context of
> system under attack and thus require actual technical ability and
> insight to traverse the vuln vectors. (or exploit chain, or attack
> tree, or whatever you want to call it.)
>
> cover the 95% and you won't be an HBGary, Sony, LulzSec target.
>
> however, don't interpret this as evidence you can't get hacked six
> ways to sunday by someone with the skillz.
And there's the flip side of it - there's some 140+ million .com's out there.
For the vast majority of them, covering the 95% is in fact sufficient, because
they are *so* small that it's probably safe to bet that everybody with actual
skillz is too busy hitting more valuable targets to bother whacking them.
After all, how many black hats with skillz will spend 3-4 days figuring out
how to whack Billy Bob's Bait, Tackle and Cell Phones and make maybe a
few hundred dollars, when they can go whack something in the 95% range
in a short afternoon and make 10 times as much?
Yes, you're still technically vulnerable, but at some point you really need
to give up the paranoia and get on with your actual business. Security
is all about tradeoffs - it may make more sense to say "We got 10K
customers, *if* we get whacked we just apologize, spend $25K on
credit card monitoring services for them, and get on with our business".
If you figure on a 10% chance of getting whacked, that's an average expected
expense of only $2,500 a year. How fast can you burn through $2500
trying to secure that last 5%?
Content of type "application/pgp-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists