Penetration Testing mailing list archives
RE: Risk metrics
From: tcp fin <inet_inaddr () yahoo com>
Date: Wed, 2 Nov 2005 05:08:15 -0800 (PST)
Hi , Totally agreed with the last post. However I have been using following matrix which may be useful . I am not giving u details on critical data or Infrastrucure used to Store, Process , Read the Given critical Data . Considering There is a critical Data D1. Stored and processed , on serrvers S1, S2 ....and Clients C1 and C2. Now vlnerabilities on these systems becomes really High , as compare to other systems which may be vulnerable but not directly connected to Store process or read the Critical Data. Assuming there is enough segregation of Servers and Clients handling critical data as compare to other servers. Vulnerability Directory Traversal Impact (Technical) Root of the System Direct Access to Critical Data : Read Write Time Required for Exploit: Business Impact : High/Medium/Low based on company size and Turn over along with the Ease of executing the Vulnerability Ease of Fix: Hard to Fix (Details may be put after talking to Server owner and Admin based on patch or aplication fixes that may require). Work around : None (If vulnerability can be prevented by blocking port for some time or dropping something at IDS/IPS) OS : Application : Other Possible impact: Getting the Sniffing data from the compromised machine and may get the access to the Critical data if the current server being hacked is not the server handling Critical data directly. Hope this helps. TCP FIN, --- Marc Heuse <Marc.Heuse () nruns com> wrote:
Hi, if there would be standard metrics, they would have been in the guide :-) to be serious: in risk management there are standard metrics. the most used one is to determine Likelyhood and Impact of a risk. These are then described as low/medium/high (or very low, low, medium, high, criticak; or ... well you get the picture). Or you put values in there, e.g. liklyhood that it happens once a year is 20%, impact would be $10k. This is then called Expected Anual Loss, or Anual Loss Expectancy. And then there is CRAMM (british standard) which uses values from 1-10 for these. Basically it is very hard to use likelyhood and impact in a pentest report. Who can convince everyone that the liklyhood of exploition of a weak password is xx%? It just doesnt work. Then the impact - if you are not working within the company for whom you are performing the pentest, it is very, very hard to have an idea of the costs. So for pentesting - especially when providing pentest services - other metrics are needed. But there are no standards for that. From my philosophy and experience there are just a few metrics helpful: criticality of a vulnerability (metric like 1: unharmful information gathering to 10: remote control of a complete network/infrastructure), and level of exposure (e.g. 1: controlled keyboard access only, 10: Internet connection without filtering). Some customers also want to know the difficulty level to exploit or knowledge level required by the attacker (e.g. 1: needs to be able to move a mouse, 10: strong reverse engineering, assembler coding, machine level knowledge on several platforms etc. required). But this is a trap - if there is a tool or exploit which you dont know, or is released some days/weeks later, the difficulty drops - but nobody will update a table in a report in return. Cheers, Marc
====================================================================
Marc Heuse n.runs GmbH Mobile Phone: +49-160-98925941 Key fingerprint = AE3F CDC0 8C7B 8797 BEAC 4BF8 EC8F E64B 0A84 EA10
====================================================================
-----Original Message----- From: RSMC [mailto:smcsoc () yahoo es] Sent: Montag, 31. Oktober 2005 14:57 To: pen-test () securityfocus com Subject: Risk metrics Hi, As OSSTMM states, "Reports must use only qualitative metrics for gauging risks based on industry accepted methods". What metrics are more suitable to use in pen-testing services? Thanks in advance, Rafael San Miguel Carrasco
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
__________________________________ Yahoo! FareChase: Search multiple travel sites in one click. http://farechase.yahoo.com ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: Risk metrics Marc Heuse (Nov 01)
- RE: Risk metrics tcp fin (Nov 03)
- <Possible follow-ups>
- RE: Risk metrics Michael Gargiullo (Nov 03)
- Re: Risk metrics Pete Herzog (Nov 04)
- RE: Risk metrics Marc Heuse (Nov 05)
- Re: Risk metrics Pete Herzog (Nov 05)
- Re: Risk metrics v b (Nov 05)
- Re: Risk metrics Pete Herzog (Nov 04)
- Re: RE: Risk metrics inet_inaddr (Nov 05)