Even very smart guys like Dave don't understand risk basics. Attack costs, anyone? #ntiacollabhttps://twitter.com/daveaitel/status/672101231867858944 …
@SpireSec are you suggesting risk only begins when a vuln is publicly disclosed? (cc @daveaitel)
-
-
@attritionorg no, that would be silly. I am suggesting risk is a function of vulns AND threats.@daveaitel -
@SpireSec gotcha. i think that is primarily what@daveaitel was speaking to with the original tweet, in context of#ntiacollab discussion -
@attritionorg regardless, in most (but not all) cases, vuln disclosure is risk-increasing. That put's ppl more in harms way.@daveaitel -
@SpireSec@attritionorg@daveaitel short term risk increase, longer term reduction if fixes/defenses deployed? -
@zmanion possibly, but rarely enough, imo. SaaS may be exception since 100% fix possible.@attritionorg@daveaitel -
@SpireSec@attritionorg@daveaitel disclosure informing defenders, otherwise only attackers know? More info = better risk decision? -
@zmanion rediscovery rates are extremely low and "attackers know" about all sorts of vulns, incl those that defenders don't.@attritionorg
End of conversation
New conversation -
-
-
@attritionorg it's not hard, really - if u reduce attacker costs (e.g. w vuln discl) then u increase threat.@daveaitelThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.