How do we patch the right things? - Josh Bressers - PSW #840

Aug 22, 2024

Josh Bressers, a knowledgeable figure in vulnerabilities and exploits, dives into the complexities of patch management. He discusses the limitations of tools like MITRE ATT&CK and CVSS in accurately prioritizing vulnerabilities. The conversation emphasizes the importance of context in patching decisions and addresses the challenges of tracking incidents that lack CVEs. Bressers shares insights on the balance between urgent patches and asset criticality, highlighting personal anecdotes that shed light on navigating the evolving cybersecurity landscape.

Ask episode

Chapters

Transcript

Episode notes

Intro

00:00 • 3min

Navigating Vulnerability Management

03:10 • 24min

Navigating Patch Management Challenges

27:20 • 14min

Navigating Software Updates and Security Risks

41:41 • 21min

Appreciation for SOC Analysts and Insights on Cybersecurity Exploits

01:02:12 • 5min

Navigating Vulnerability Exploitation

01:07:07 • 12min

Controversy and Resolution: A Defcon Incident

01:18:44 • 4min

Navigating Security: From Locks to Operating Systems

01:22:33 • 28min

Exploring Hardware Security Vulnerabilities and Virtualization Insights

01:50:31 • 5min

Exploring Bluetooth Innovations and DIY Portable Routers

01:55:05 • 2min

Nostalgia and Knowledge in Cybersecurity

01:57:32 • 6min

Navigating Data Security and Internet Culture

02:03:20 • 26min

Navigating Security Risks in Credential Management

02:28:55 • 25min

Exploring BMC Vulnerabilities and Security Misconfigurations

02:53:32 • 5min

Every week here on the show we talk about vulnerabilities and exploits. Typically we recommend that organizations remediate these vulnerabilities in some way. But how? And more importantly, which ones? Some tools we have to help us are actually not all that helpful at time, such as:

Mitre Att&ck - Don't get me wrong, this is a great project and Adam and team is doing a great job. However, its not a complete picture as we can't possibly know about every attack vector (or can we?). People seem to think if they cover everything in the framework they will be secure. You can't cover everything in the framework because each technique can be utilized by an attack in a hundred different ways.
CVSS - Anyone can apply a score, but who is correct? Good that we have a way to score things, but then people will just use this as a basis for what they patch and what they do not. Also, chaining vulnerabilities is a thing, but we seem to lack any way to assign a score to multiple vulnerabilities at once (different from a technique). Also, some things don't get a CVE, how are you tracking, assessing risk, and patching these?
CISA KEV - Again, love the project and Tod is doing amazing work. However, what about things that do not get a CVE? Also, how do you track every incident of an attacker doing something in the wild? Also, there is frequency, just because something got exploited once, does that mean you need to patch it right away? How are we tracking how often something is exploited as it is not just a binary "yes, its exploited" or "no, it is not".
EPSS - I do like the concept and Wade and Jay are doing amazing work. However, there seems to be a "gut reaction" thing going on where we do see things being exploited, but the EPSS score is low. How can we get better at predicting? We certainly have enough data, but are we collecting the right data to support a model that can tell us what the attackers will do next?

This week: YAVD: Yet Another Vulnerable Driver, why bring your own when one already exists, backdoors in MIFARE Classic, wireless hacking tips, AMD sinkclose vulnerability will keep running, you down with SLDP yea you know me, Phrack!, IoTGoats, Pixel vulnerabilities, leaking variables, a DEF CON talk that was not cancelled, Telnet is still a thing, More CNAs, and the last thing Flint Michigan needed was a ransomware attack!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw-840