A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Rick Redman – Tomorrow you can patch that 0day – but your users will still get you p0wn3d Derbycon 2011 (Hacking Illustrated Series InfoSec Tutorial Videos)

Rick Redman – Tomorrow you can patch that 0day – but your users will still get you p0wn3d
Derbycon 2011

In large corporate networks, the existence of a 0day exploit can wreck havoc.But a few weeks later, once patch management has done its job, and the risk isgone, what was the point? What has management learned from the ordeal ? Whatcould be improved to prevent the incident from occuring again ? Nothing! Is the network now ‘safe’ from attack? Not even close! In this talk, Rick will show examples of complete penetrations of large corporate networks that were accomplishing using no 0day, in fact no “exploits” in the classic sense, at all. Instead, the only things exploited are the mistakes of users and administrators, to elevate privileges all the way to root/Domain Administrator on almost all machines on the network. But why do a penetration test in this manner? Because it reveals actionable items that can be fixed/mitigated immediately. These fixes will protect the network just as much as patching an 0day. Only, these types of attacks are: - More likely to occur - More widespread - More common - Not audited by auditing groups - Easier to perform - Require less “l33t access” to uber 0day ‘sploits - Less likely to be reported on by the security community If you get nothing out of this talk, you can at least laugh at how easy some complete compromises of Fortune 500 networks can be. I would like for this talk to be a conversation starter about the importance of security research into 0day vulns. This type of research is very important to our industry, but is not helping to secure corporate environments. Is it worth it ? Is the fame and fortune misplaced? Does the security community REALLY care if corporate networks are secure or not ?

Back to Derbycon 2011 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2016, IronGeek
Louisville / Kentuckiana Information Security Enthusiast