So most of the bash bug solutions I've seen/talked to people about look at "Vulnerability Management" as just that: essentially an extension to your patching program. But in this case, nearly every machine is vulnerable. However, almost NO machines pose a real risk. Everyone has soap in their shower, and yet so few people slip to their death in the morning!
This weird dichotomy between things that are vulnerable, and things that
are at risk, is a real problem with the bash bug and right now it's
being solved with consulting hours for most people. How do you go to the
SEC and say "90% of our infrastructure is vulnerable"? Answer: You
don't. Your Vulnerability Management tools is worthless right now.
An authenticated or credentialed scan with a Vulnerability Management
tool has always had this issue. Nobody knows whether they are in fact at
risk for any issue found with that scan! Perhaps your AV protects you?
Perhaps that port is blacklisted with the HIDS and nobody can touch it.
But the bash bug really highlights this in a way that drives it home to
executives, we've found.
Basically, with external anonymous scanning you have a high false
positive rate. That's bad. But with credentialed scanning, you have no
false positives, but also a very low confidence that the results are
meaningful. This is even worse, in some cases. ("Oh you wanted
vulnerabilities that MATTERED? That's Risk Management, and it's extra!")
Such a strange thing.
-dave
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
