On Tue, 14 Jun 2011 19:42:37 PDT, coderman said: > consider it this way: when programming the "weird machine" to do your > bidding some vectors to vuln are context-agnostic and readily > repeatable. (the 95%) > > the other 5% are present in the specific configuration or context of > system under attack and thus require actual technical ability and > insight to traverse the vuln vectors. (or exploit chain, or attack > tree, or whatever you want to call it.) > > cover the 95% and you won't be an HBGary, Sony, LulzSec target. > > however, don't interpret this as evidence you can't get hacked six > ways to sunday by someone with the skillz. And there's the flip side of it - there's some 140+ million .com's out there. For the vast majority of them, covering the 95% is in fact sufficient, because they are *so* small that it's probably safe to bet that everybody with actual skillz is too busy hitting more valuable targets to bother whacking them. After all, how many black hats with skillz will spend 3-4 days figuring out how to whack Billy Bob's Bait, Tackle and Cell Phones and make maybe a few hundred dollars, when they can go whack something in the 95% range in a short afternoon and make 10 times as much? Yes, you're still technically vulnerable, but at some point you really need to give up the paranoia and get on with your actual business. Security is all about tradeoffs - it may make more sense to say "We got 10K customers, *if* we get whacked we just apologize, spend $25K on credit card monitoring services for them, and get on with our business". If you figure on a 10% chance of getting whacked, that's an average expected expense of only $2,500 a year. How fast can you burn through $2500 trying to secure that last 5%?
Attachment:
pgpWyLXMNjDdz.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/