All it takes is one patch is missed, One computer not taken care of.
Computers must be patched so that Zero-day exploits have minimal affects. We discussed this on July 20th http://oversitesentry.com/why-security-news-scrutinized-to-nth-degree/
After a vulnerability is introduced, an exploit hits the “wild” and then the clock starts ticking, the attackers(criminal hackers) and defenders(software vendors etc) start to create the attacks and defenses. By the time you hear in the news “The patch will be released next month” the attack has been already in the wild for weeks.
We are always playing catchup. Believe it!!
Then we also have other kinds of attacks like website attacks.
Websites must be patched, and coded so that the latest attacks will not be effective.
There are a lot of attacks to protect from (this is the OWASP top10):
1. SQLi SQL injection
2. Broken Authentication and Session Management
3. XSS Cross-Site Scripting
4. Insecure Direct Object Reference
5. Security Misconfiguration
6. Sensitive Data Exposure
7. Missing Function Level Access control
8. CSRF Cross Site Request Forgery
9. Using Known Valuable Components
10 Unvalidated Redirects and Forwards
Each of the OWASP top10 can do a number on your website.
Now add mobile and wifi as other angles of attack:
How about this as an example:
A simple text message can create malware install on the Android machine.
Why are there so many ways in for attackers? And we have to protect from all of them… Humans code and make mistakes, and most especially we have not been developing software with security in mind.
So now we are back tracking finding the security exploit problems first. Only then do we make the fixes. So our imperfect world was created for functionality first:
Business is developed with high risks and innovation AND security as low in priority.
Who wants to tell their stock owners low growth and innovation?
Now we know what the problem is, how do we fix it in this imperfect world?
Our Customer need = a more secure world.
We need to test the environment and re-evaluate – test and re-evaluate for all the different attack methods.
The end product and process will be a more secure world.
I am fixvirus.com – this is my blog – TonyZ (edited 7/28)