Monday, April 27, 2009

Bad Guys pwn you long time

Today is shaping up as all security, all the time. And the news is pretty bad:
Criminal hackers continue to penetrate many more company networks than most administrators care to admit, according to two security experts who offered a list of the most effective exploits used to gain entry.

...

I believe that a determined but not necessarily well-funded attacker can pretty much break into any organization," Skoudis said. "If you think it's less than 50 percent, I think you need to look a little more carefully."
Ed Skoudis has been doing security for a long time. This is a very pessimistic view of security, but I've also been pretty pessimistic (for example, about the electric power grid).

The problem is that unless you're looking for precisely the right thing at precisely the right time, you won't know if you've been pwned. Even people who do all the right things are looking for a needle in a very large haystack. The distribution of information is very asymmetric, and favors the attacker.

Everything is vulnerable. You know some (but not all) of what is. You'll catch some of the attacks (but not all). All in all, it's a thankless job.

At least the pay's decent.

1 comment:

Eseell said...

Heh, in a few weeks we'll be hiring some consultants to audit our security. I can't wait to see how poorly we do.