Hello from San Francisco, home of the 2012 UNITED Summit.
It's been an incredibly full day. I'm writing this quick update from an excellent presentation that nex of Cuckoo Sandbox fame is giving about threat modelling. According to Claudio's research, only 103 of the almost 50,000 odd vulnerabilities in NVD's vulnerability database are actually being exploited in crimeware kits like BlackHole.
Claudio identified MS Office as the most exploited piece of software for targeted attacks, while Java is by far and away the most targeted for mass-malware or "drive-by" attacks. Flash and Java are getting more and more popular due to their cross-platform nature, meaning attackers can hit achieve broader reach. Still, the takeaway is that the thousands of vulnerabilites that are out there come down to three vendors: Adobe, Oracle, and Microsoft. This can help you to prioritize patching by vendor and product.
My personal (and concerning) takeaway? That attackers are using far more basic and unsophisticated malware options, ie no exploits, that are not detected by our current technologies. While it's less common currently, we're going to see social engineering continue to gain ground.
Claudio is doing an excellent job of engaging his audience, as people are adding their opinions and asking questions at every point he makes to further this conversation. He wants us to look at security in a new way - what could possibly happen vs. what is actually likely to happen, and to use that data to make intelligent decisions about how to best secure our networks.
If you're here, and you're following along with these talk tracks, use our hashtag #Unitedsummit, to get us your feedback, questions, and to start making those connections that are valuable to us all.
Also, if you're walking around, stop me and say hi. I'd love to get the chance to speak with you in person.
More updates coming soon - so stay tuned here!