[Dailydave] "The organization I belong to doesn't have initals"(that evil dude in Heroes)
Matt Richard
matt.richard at gmail.com
Wed Nov 15 19:03:04 Local tim 2006
On 11/14/06, Siim Põder <windo at p6drad-teel.net> wrote:
> Yo!
>
> Daniel wrote:
> > David: your IIS 6.0 is vulnerable to a unpublished, unknown
> > vulnerability
> > CSO: So what do we do David??
> > David: secure your network
> > CSO: How?
> > David: ????
> > CSO: Microsoft has no patch for this, they cannot help. I've paid you
> > to do an assessment, what is the risk of the vulnerability versus the
> > loss of business if I have to shut down our front-end trading system
<snip>
> There is stuff you can (and should) do beyond patching known holes. You
> never know wether there are unknown vulnerabilities in some part of your
> system - so you could run your httpd in chroot, stripping it's
> privileges to the minimum and monitoring what it does. Then you could
> isolate it on the network and firewall connections to and from it.
I think the real point here is that the majority of people responsible
for security have a backwards mindset. Most security practitioners
still don't make the assumption that everything is vulnerable and
design around it. Of course IIS is vulnerable to an unpublished 0day.
Maybe somebody already found it or maybe it'll happen next week.
When you start with the assumption that every application and device
has major holes that haven't been discovered or disclosed you create a
totally different architecture than when you assume it's good until
proven bad.
In this case I somewhat agree with Dave - assume that your opponent is
smarter, more persistent and more creative than you could ever be.
What would you do different?
Would patching known vulnerabilities in thousands of end user desktops
be your #1 priority or would you devote more time to creatively
protecting your most valuable assets?
--
Matt Richard
More information about the Dailydave
mailing list