Re: Would you bet your life on your security?

[simon <simon () snosoft com>]

Dave,
	Prior to testing we define what we would consider to be a real 
vulnerability.  For example, information leaks that leak critical system 
information that could lead to a compromise would be a threat/warning. 
Information leaks that leak information about the system time would not 
be considered a vulnerability, but rather a notice.

There are four stages, the later three are considered vulnerabilities:

1-) Notice
2-) Warning
3-) Threat
4-) Critical

If anyone wants more information on the way we classify risks feel free 
to shoot me a message.

David Gillett wrote:
>   There's a truism to the effect that the only secure
> machine is unusable.  So if this outfit has any competence
> at all they *will* find vulnerabilities in any useful
> network.
>   The more critical question is, can they find vulnerabilities 
> that the organization does not consider an acceptable risk
> associated with being in business.  Since different
> organizations have different tolerances for risk, this
> may be hard to guess up front -- I doubt they're willing
> to bet on THAT.
>
> David Gillett
>
>
>
> > -----Original Message-----
> > From: Eric Brown [mailto:ericbrow () ziplip com]
> > Sent: October 1, 2003 19:04
> > To: simon; security-basics () securityfocus com
> > Subject: Re: Would you bet your life on your security?
> >
> >
> > Hello Simon,
> >
> > I'm pretty new to security, but this is discouraged by the 
> > ISECOM in their most current Open Source Security Testing 
> > Methodology Manual, p. 18, "2. The offering of free services 
> > for failure to penetrate or provide trophies from the target 
> > is forbidden." 
> >
> > I wouldn't know this if I hadn't just read it though.  
> > Eric
> >
> >
> > > -----Original Message-----
> > > From: simon [mailto:simon () snosoft com]
> > > Sent: Wednesday, October 01, 2003, 4:18 PM
> > > To: security-basics () securityfocus com
> > > Subject: Would you bet your life on your security?
> > >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > All,
> > > 	I'm not sure how many of you have had good security 
> >
> > audits in the 
> >
> > > recent past so I thought I'd show you this. In summary 
> >
> > Secure Network 
> >
> > > Operations, Inc. will do an external security audit of your 
> >
> > network for 
> >
> > > approx $1000.00.  If they don't find any vulnerabilities, 
> >
> > then the audit 
> >
> > > is FREE and they send you a letter of validation. If they do find 
> > > vulnerabilities, then they charge you and send you a formal 
> >
> > report that 
> >
> > > details their finds and grades your network.
> > >
> > > 	Given some of the new laws that have been passed this 
> >
> > seems like a 
> >
> > > pretty good service and a VERY cheap way to validate your companies 
> > > security. Secure Network Operations also has a flawless 
> >
> > track record and 
> >
> > > has the references to prove it.
> > >
> > > Why do I think this is a good idea? Well, the California 
> >
> > identity theft 
> >
> > > law (Civil Code 1798.82),The new federal banking 
> >
> > regulations are two 
> >
> > > reasons. They both  make disclosure of a compromise 
> >
> > MANDITORY. You need 
> >
> > > to tell ALL of your clients, by law, that you have been 
> >
> > compromised and 
> >
> > > that their identities may have been stolen.
> > >
> > > So anyway, I'll shut up.  For those of you that are 
> >
> > interested check out 
> >
> > > the link below. For those of you that arent, I'm just 
> >
> > trying to help 
> >
> > > people out so don't flame me or I'll /dev/null your mail.
> > >
> > > http://www.secnetops.com/pesa-form_html.html
> > >
> > > Their web site is: http://www.secnetops.com
> > > - -- 
> > > Regards,
> > >         -simon-
> > >
> > >
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.2.1 (GNU/Linux)
> > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> > >
> > > iD8DBQE/e0/Nf3Elv1PhzXgRAqczAJ9jLoYmBi1aCs6DA49cB7nusXhv2QCgzeF6
> > > 0kewAu0Xz4t6+F5Px6kfKc8=
> > > =9AWM
> > > -----END PGP SIGNATURE-----
> >
> > --------------------------------------------------------------
> > -------------
> >
> > --------------------------------------------------------------
> > --------------
> >
> >
> > To do is to be.  -Socrates
> > To be is to do.  -Satre
> > Do be do be do.  -Sinatra
> >
> > --------------------------------------------------------------
> > -------------
> > --------------------------------------------------------------
> > --------------
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------