Jiu Jitsu vs InfoSec: New Bypasses

Tim MalcomVetter
Jul 20, 2017 · 2 min read

This is part of a series comparing Jiu Jitsu with InfoSec.

The world of BJJ has apparently evolved quite a bit in recent decades (as a newcomer, I didn’t experience this directly, but there is good historical documentation out there). New approaches in offense and defense as high level BJJ players try new things in their gyms and eventually showcasing them in competitions where the successful techniques are observed by other players and later emulated. Some of these new or advanced techniques are new guard bypasses and sweeps — new ways to bypass an opponent’s defensive countermeasures.

In InfoSec, we frequently hear about 0days, or exploits that are so new that the vulnerabilities do not yet have a patch or mitigating control. Sometimes we hear about new whitelisting bypasses (these days they may be more common than 0days that have widespread impact). Like BJJ, InfoSec is constantly evolving as well.

However, in both BJJ and InfoSec, the most common way to lose (er, I mean learn — see Jiu Jitsu vs InfoSec: You Win or You Learn) is with the fundamentals. In BJJ, a match may end with a submission that a white belt is taught in the early days of training. In InfoSec, it may be something as simple as not changing default passwords when software was deployed.

It’s easy for the BJJ novice to get wrapped up in concern about an opponent performing the exotic flying triangle choke, yet forget the basic “telephone” hand position to block a simple choke from the more common side control position.

In InfoSec, it’s easy for a security department to worry about how well they are protected against 0days from nation state hacking teams that are leaked to the Internet, when their biggest concern should be removing that internet-facing tomcat manager instance with the “admin/admin” username/password.

Excel at the basics before moving on to the exotic.

Read more: Jiu Jitsu vs InfoSec: Focus on Weaknesses

)

Tim MalcomVetter

Written by

Red Team Leader at Fortune 1. I left my clever profile in my other social network: https://www.linkedin.com/in/malcomvetter

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade