Since I’m not using a lot of them working right now, my brain is moving at an insane rate in this late hour.
Before Shmoocon 2013, I’d started on a CFP response, inspired by Mouse’s talk the year before about active defense. My scarred-up brain started down this path after seeing Mudge’s keynote the last year at the Marriott (aka Snow
When he was talking from his carefully-sanitized slides, he showed a common host. It had eight vulnerabilities via a Retina scan.
Someone about four rows back raised his hand. Before he was really recognized to speak, he pointed out that at least three of them were HBSS vulnerabilities.
So, after musing on those two talks some, my premise was, essentially, that building monolithic systems increases the attack vector. So, what do you do? Throw something else on top of that monolith to protect it.
Once the attacker is around the defenses, he’s got a target-rich environment to exploit the system.
Unfortunately, as I was walking through the rebuttal I could expect from the audience, I came across an argument I couldn’t refute — some of these defenses do actually close some holes. While the overall vector may be bigger, it’s less vulnerable to some of the more common attacks.
As I’ve been listening to my wife dig through her math coursework, I’ve been thinking about what the equation on this would look like.
The vector calculation would need to include the overall attack risk of the base OS, each application installed atop the OS, minus the holes patched by the sekurity measures (whether hard or soft).
What are the most common NVD for the OS? Which are closed by the security measures? Of the remaining, what are the of exploit for each?
Busted-ass WinXP box has a 38% chance of getting 0wned in a month. It has Flash and Java installed on it, which raises the chance to 60%. It has SuperSEkurSoftFW installed, which brings the XP number down to 33%, and knocks two points off Java and Flash, leaving 51%.
I wish I had more math skills to write a nasty-looking equation for all this. *sigh*
But the overall concept remains — the less stuff you stack on a host, the smaller the overall vector, regardless of whatever security middleware you throw on it to plug holes.