How InfoSec Security Controls Create Vulnerability

One frequent reality in many intrusions is that attackers don’t target the data they are interested in directly; they target the security controls designed to protect them.  That is, the very solution InfoSec professionals craft to protect assets from risks become the means by which the attackers are able to access them.  They steal legitimate…

0

The Inside Story Behind MS08-067

Seven years ago a small set of targeted attacks began.  In 2008 an unknown set of attackers had a zero day vulnerability that would soon have worldwide attention.  They were patient and used it quietly in several countries in Asia.  The vulnerability was not just good–it was the kind of vulnerability that offensive teams and…

18

Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.

Defender Mindset A lot of network defense goes wrong before any contact with an adversary, starting with how defenders conceive of the battlefield. Most defenders focus on protecting their assets, prioritizing them, and sorting them by workload and business function. Defenders are awash in lists of assets—in system management services, in asset inventory databases, in…

19