chargen is the new DDoS tool?

Wed Jun 12 08:17:40 UTC 2013

This is basically untrue. I can deal with a good rant as long as there's
some value in it. As it is (I'm sorta sorry) I picked this apart.

On Jun 12, 2013 12:04 AM, "Ricky Beam" <jfbeam at gmail.com> wrote:
>
> On Tue, 11 Jun 2013 22:55:12 -0400, <Valdis.Kletnieks at vt.edu> wrote:
>>
>

> But seriously, how do you measure one's security?

Banks and insurance companies supposedly have some interesting actuarial
data on this.

> The scope is constantly changing.

Not really. The old tricks are the best tricks. And when a default install
of Windows still allows you to request old NTLM authentication and most
people don't think twice about this, there's a problem.

> While there are companies one can pay to do this, those reports are
*very* rarely published.

It seems you are referring to two things - exploit writing vs pen testing.
While I hate saying this, there are automated tools that could clean up
most networks for a few K (they can also take down things if you aren't
careful so I'm not saying spend 2k and forget about it). Basically, not
everyone needs to pay for a professional test out of the gate - fix the
easily found stuff and then consider next steps.

As for exploit writing, you can pay for this and have an 0day for between
$10 and $50k (AFAIK - not what I do with my time / money) but while you've
got stuff with known issues on the net that any scanner can find, thinking
someone is going to think about using an 0day to break into your stuff is a
comical wet dream.

> And I've not heard of a single edu performing such an audit.

And you won't. I'm not going to tell you about past problems with my stuff
because even after I think I've fixed everything, maybe I missed something
that you can now easily find with the information I've disclosed. There are
information sharing agreements between entities generally in the same
industry (maybe even some group like this for edu?). But this will help
with source and signatures, if your network is like a sieve, fix that first
:)

> The only statistics we have to run with are of *known* breaches.

As I indicated above, 0days are expensive and no one is going to waste one
on you. Put another way, if someone does, go home proud - you're in with
the big boys (military, power plants, spy agencies) someone paid top dollar
for your stuff because you had everything else closed.

> And that's a very bad metric as a company with no security at all that's
had no (reported) intrusions appears to have very good security, while a
company with extensive security looks very bad after a few breaches.

I'll take that metric any day :) Most companies only release a break in if
they leak customer data. The only recent example I can think of where this
wasn't true was the Canadian company that develops SCATA software
disclosing that China stole their stuff. Second, if you look at the stocks
of public companies that were hacked a year later, they're always up. The
exception to this is HBGary who pissed of anonymous and are no longer in
business (they had shady practices that were disclosed by the hack - don't
do this).

> One has noone sniffing around at all, while the other has teams going at
it with pick-axes.

If you have no one sniffing around, you've got issues.

> One likely has noone in charge of security, while the other has an entire
security department.

Whether you have a CSO in name or not might not matter. Depending on the
size of the organization (and politics), a CTO that understands security
can do just as much.