dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
247
share rss forum feed


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

The Rise of Data-Driven Security

by Dennis Fisher

The phrase "you're doing it wrong" is a common refrain in the security community these days as people wander around in various states of disillusionment with the technology and processes that have led to what many perceive as a systemic failure. But that refrain usually is not followed by any useful discussion of what's going wrong or what can be done about it. To researcher Claudio Guarnieri, one of the major problems is obvious: we're completely backward in the way we prioritize protection.

On any given day, the headlines are full of dire warnings about new zero-days, another bug discovered in Android or a new flaw in a major database. Inside enterprise IT departments, those bugs are simply added to the already massive pile they'll eventually get around to patching when they have time. And often, that patching plan will be based upon one or another of the myriad vulnerability scoring systems that have emerged in the last 10 years or so.

Therein lies the problem, according to Guarnieri. Which bugs to fix first and how quickly to patch them should not be based on a CVSS score or criticality rating, but rather on how likely it is that an attacker is going to try and exploit any given vulnerability.

"We tend to be too flat and don't take into account whether vulnerabilities are actually being exploited in the wild," Guarnieri, a researcher at Rapid7, said in a recent interview. "It's not efficient because there's no context. We need to understand how bugs are being used by the bad guys. There needs to be a connection between bugs, attacks and threats. People need to understand that this kind of vulnerability is being used by this kind of attacker for this kind of attack. So then I can walk it up the chain as a high priority."

There are thousands and thousands of vulnerabilities discovered each year now, but the vast majority of those don't end up being used in attacks. They're the bench players, the guys who are kept around to fill out the roster and take a beating from the big boys in practice. They just sort of hang out, like Rudy waiting for the coach to call his name, hoping that one day they'll get in the game. But, unless it's one of the stars--say a nice ASLR and DEP bypass bug in Internet Explorer 10--then it's probably going to stay in the shadows and never get much run.

The CVSS (Common Vulnerability Scoring System) is a system designed to score each vulnerability based on a number of factors.

Guarnieri estimates that there are roughly 100 vulnerabilities being used or sold on the underground at any given time, and the tens of thousands of others are mostly background noise.

»threatpost.com/en_us/blogs/rise-···y-100112

Read the whole article and find out more about Guarnieri's Cuckoo Sandbox.

»cuckoosandbox.org/#
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
Scottsdale, AZ
kudos:24

1 recommendation

What do you feel, personally, about Cuckoo?



Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN
reply to Name Game

We need to embrace software white listing. Prevx used to do that. I don't know if it still does since the "life time" purchase I made didn't last long, I believe they were sold after that.

The basic idea is, only software you say can run is allowed to run. If the software isn't on the list, it doesn't run. It makes AV software un-needed since a new virus can't run. Viruses don't have to be checked since they aren't on the allowed programs list they can't run.
--
Want the shirt? - »www.despair.com/thedestructor.html
Not afiliated or making any profit from sales



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 recommendation

reply to jaykaykay

said by jaykaykay:

What do you feel, personally, about Cuckoo?

Guarnieri is spot on with the need for connection between bugs, attacks and threats especially in an Enterprise environment ..The poor IT these days is in a reactive mode never really getting a handle on how to be more efficient..he/she has to contend with downtime and how many hours in a day..not patching is never an option no matter how well you understand your system Security. The need for something like Cuckoo is obvious. I think the concept is correct and wish him well. If you can factor in what vulnerabilities are being weaponized and used..then one can see daylight...and maybe then improve overall Security.

There is also out there the problem of "will the patch actually work" or will they change it again the next day..or will it crash the system.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/