Jiu Jitsu vs InfoSec: New Bypasses
This is part of a series comparing Jiu Jitsu with InfoSec.
The world of BJJ has apparently evolved quite a bit in recent decades (as a newcomer, I didn’t experience this directly, but there is good historical documentation out there). New approaches in offense and defense as high level BJJ players try new things in their gyms and eventually showcasing them in competitions where the successful techniques are observed by other players and later emulated. Some of these new or advanced techniques are new guard bypasses and sweeps — new ways to bypass an opponent’s defensive countermeasures.
In InfoSec, we frequently hear about 0days, or exploits that are so new that the vulnerabilities do not yet have a patch or mitigating control. Sometimes we hear about new whitelisting bypasses (these days they may be more common than 0days that have widespread impact). Like BJJ, InfoSec is constantly evolving as well.
However, in both BJJ and InfoSec, the most common way to lose (er, I mean learn — see Jiu Jitsu vs InfoSec: You Win or You Learn) is with the fundamentals. In BJJ, a match may end with a submission that a white belt is taught in the early days of training. In InfoSec, it may be something as simple as not changing default passwords when software was deployed.
It’s easy for the BJJ novice to get wrapped up in concern about an opponent performing the exotic flying triangle choke, yet forget the basic “telephone” hand position to block a simple choke from the more common side control position.
In InfoSec, it’s easy for a security department to worry about how well they are protected against 0days from nation state hacking teams that are leaked to the Internet, when their biggest concern should be removing that internet-facing tomcat manager instance with the “admin/admin” username/password.
Excel at the basics before moving on to the exotic.
Read more: Jiu Jitsu vs InfoSec: Focus on Weaknesses
