I’ve stood atop the world’s largest meteorite. The Hoba meteorite is a solid chunk of metal weighing 60 tons, and is about as big as the ‘60s kombi that took us to it’s location in the remote Namibian desert. On colliding with the hard earth at 1,000 feet per second, Hoba would have made quite a sizeable impact crater.
Common sense and compliance directs us to wear a crash helmet when riding a bicycle or motorcycle. In the dark ages, knights wore a full suit of armour for protection, when under threat of sword or archery attack. Some parts of the world are so inhospitable that it is advisable to drive an armoured vehicle for protection.
However, if you put on your crash helmet and suit-up with body armour while driving your armoured vehicle, and you are then hit by a meteorite the size of Hoba, you are history. Finito. Kaput.
But this is so unlikely that you needn’t be concerned about it.
Penetration testers are becoming increasingly skilled at breaking defences these days. There are very powerful tools available to exploit the slightest vulnerabilities. And when they reach the limits of these tools, pentesters play a theoretical “what if” game. What if you are wearing bullet-proof underwear, and what if you have the best titanium crash helmet, and what if you are wearing the latest Kevlar suit of armour while driving your tank-grade Hummer, and a meteorite the size of a house flies out of the sky at a gazillion miles an hour and lands on your head? Hasta la vista.
It seems that pentesters dream up increasingly bizarre scenarios to identify security vulnerabilities. It makes them look smart. These theoretical games are unconstrained by the economic realities of black hat hackers who need to see a return on their time investment.
Theoretical “what if” games assume a variety of conditions which must exist simultaneously for a vulnerability to emerge. Each of these conditions individually has a probability of existing. The overall probability of all conditions existing simultaneously is the product of the individual probabilities (multiplied together). As soon as a vulnerability relies upon the existence of two or more theoretical conditions, it rapidly approaches the realm of deep space and time warps. Often the “what if” game produces an overall probability indicating such a low likelihood in the real world as to be of low significance.
There comes a point past which these theoretical “what if” scenarios outlive their usefulness. They then serve only to scare the less knowledgeable. We don’t need to fret the meteorites, the chances of being hit is far too low and unlikely, and if you are unlucky enough to be the target of a large meteorite there is nothing you can do about it anyway.
Penetration tests need to be interpreted carefully to properly understand the nature and realistic likelihood of a vulnerability:
– If the pentester has actually performed an attack, then give this a lot of weight. It is a real and proven vulnerability.
– If the pentester did not actually perform the attack, but relies on a “what if” scenario, then carefully evaluate the probability of this condition or series of conditions existing in the real world. Also evaluate the difficulty of performing the attack – if an experienced pentest team cannot actually perform the attack within a 2 or 3-week test, then this is an indication of it’s threat.
– Ignore meteorites – those threats which are so unlikely that they are not worth considering.
Crash helmets are still appropriate in circumstances even where there is the threat of meteorites. The penetration testing industry risks becoming irrelevant if it relies too heavily on meteorites.