Your risk is not what it used to be
Ariel Waissbein
ToorCon X. September 26-28, 2008. San Diego, CA, USA.
Date published
penetration testing, attack simulation, risk management


Yesterday was the second Tuesday of the month: Microsoft’s patch Tuesday. Today, the security officer gets the "exploits feed" from his pen-testing service and after some experimentation he realizes that all his Windows servers were vulnerable for the last 5 months (because he keeps virtual-machine snapshots for all the different types of servers he has and uses the exploit against these). He gets down to analyze his network diagram, plays with a pencil and realizes that someone could have hacked into the SQL server that he uses for the corporate web application, pivoted within the DMZ to the email server, or leveraged privileges to get into the administrator’s computer and from there temporarily open firewall ports and get to the credit-cards databases. This type of analysis can be done whenever new vulnerability information is published. It provides security officers with better security assessment data over their systems. In particular, it shows that information from old vulnerabilities can change his perception of the risks he assumed in the past; it will provide realistic information for threats his systems faced and might help him to design a better protection; it may point him to certain logs from the past that he must read to check whether the threats were actually exercised; and, might give him a good reason to keep logs for some time. During this talk we will demonstrate how you can use modern technology to make this analysis efficiently and accurately, and discuss some applications mentioned above.