How to hack a country for fun and profit presented at Sec-T 2013

by David Jacoby,

Summary : We often hear about how companies get compromised by zeroday vulnerabilities. When I started to analyze the discussions and topics the most discussed and commented are about national security and APT attacks or advanced exploitation techniques I then asked myself; does it really take an APT with some advanced zeroday vulnerabilities to attack a country? Together with other security experts we collected some quite interesting facts on what the actual security level looks like.
The presenter has together with Outpost24; the automated vulnerability scanning vendor extracted statistics and information about which vulnerabilities are ACTUALLY vulnerable against, and also collected stats about how many companies are still vulnerable against stuff that's, 6 months, 1,2,3,4 years etc.
The presentation also includes a section about "critical infrastructure", what is considered as C.I? Most people think about power plants and weird systems running SCADA and what not. but what about Hotels? Schools? Hospitals? Radio etc?
The conclusion is that we are doing something wrong, and maybe its part of the industry, that we focus WAY to much on the cool and crazy technology and that we actually forget the "real" security that we need to work with. Also, the solutions that we buy might not be as good as we think they are, or that we simply do not have the knowledge to use the tools correctly.