[Dailydave] The Threshold of Hackiness

[Ben Nagy]

On Thu, Jan 3, 2013 at 2:27 AM, Paul Johnston
<paul.johnston at pentest.co.uk> wrote:

> 1) Script kiddie - Uses public tools and exploits, but does not
> understand them, and cannot fix problems
> 2) Proficient hacker - Uses public tools and exploits, with full
> understanding; can tweak tools for unusual scenarios
> 3) Advanced persistent threat - Has a collection of zero day exploits,
> and is able to develop new exploits
>
> Now this gets interesting from a defensive point of view. You can stop 1
> and 2 using standard security best practices. But the standard defences
> break down when faced by an attacker with zero day exploits.

Usually I just let this kind of stuff blow past me on DD, but since I
am ranting on twitter now I may as well lower my standards.

There should be no difference at all in 'best practices' regarding
attackers armed with 'public' versus 0day exploits. None.

You can't even become aware of all the "public" exploits, let alone
patch fast enough to hope to eliminate all of those vulnerabilities.
Worse - we're not even considering unique systemic vulnerabilities
that you have introduced yourself (SQLi, logic / process flaws etc)
which don't appear in any exploit database. Even worse - users that
are stupid enough to run any fricking thing someone emails them. This
is why pretty much the only pentests that ever fail are ones where all
the amusing stuff has been scoped out; and that's even after you tell
your pentesters they can't use 0day because it's "cheating".

If your design is not predicated around the fact that you will be
(probably already are) owned at some point then it simply cannot be
considered best practice. Work out how to identify compromise, how to
recover from it and how to mitigate the damage that an individual
compromise can cause.

Or just lose, I'm fine either way.

Cheers,

ben