RE: Risk metrics

[tcp fin <inet_inaddr () yahoo com>]

Hi , 
Totally agreed with the last post.
However I have been using following matrix which may
be useful .  I am not giving u details on critical
data or Infrastrucure used to Store, Process , Read
the Given critical Data . 
Considering There is a critical Data D1. 
Stored and processed , on serrvers S1, S2 ....and
Clients C1 and C2. 

Now vlnerabilities on these systems becomes really
High , as compare to other systems which may be
vulnerable but not directly connected to Store process
or read the Critical Data. Assuming there is enough
segregation of Servers and Clients handling critical
data as compare to other servers. 

Vulnerability   Directory Traversal
Impact (Technical) Root of the System 
Direct Access to Critical Data : Read Write 
Time Required for Exploit: 
Business Impact : High/Medium/Low based on company
size and Turn over along with the Ease of executing
the Vulnerability 
Ease of Fix: Hard to Fix (Details may be put after
talking to Server owner and Admin based on patch or
aplication fixes that may require). 
Work around : None (If vulnerability can be prevented
by blocking port for some time or  dropping something
at IDS/IPS)
OS : 
Application :
Other Possible impact: Getting the Sniffing data from
the compromised machine and may get the access to the
Critical data if the current server being hacked is
not the server handling Critical data directly. 

Hope this helps. 
TCP FIN,


--- Marc Heuse <Marc.Heuse () nruns com> wrote:

> Hi,
>
> if there would be standard metrics, they would have
> been in the guide :-)
>
> to be serious: in risk management there are standard
> metrics.
> the most used one is to determine Likelyhood and
> Impact of a risk.
> These are then described as low/medium/high (or very
> low, low, medium, high,
> criticak; or ... well you get the picture). Or you
> put values in there,
> e.g. liklyhood that it happens once a year is 20%,
> impact would be 
> $10k. This is then called Expected Anual Loss, or
> Anual Loss Expectancy.
> And then there is CRAMM (british standard) which
> uses values from 1-10 for these.
>
> Basically it is very hard to use likelyhood and
> impact in a pentest report.
> Who can convince everyone that the liklyhood of
> exploition of a weak password
> is xx%? It just doesnt work. Then the impact - if
> you are not working within
> the company for whom you are performing the pentest,
> it is very, very hard
> to have an idea of the costs.
>
> So for pentesting - especially when providing
> pentest services - other
> metrics are needed. But there are no standards for
> that.
> From my philosophy and experience there are just a
> few metrics helpful:
> criticality of a vulnerability (metric like 1:
> unharmful information
> gathering to 10: remote control of a complete
> network/infrastructure),
> and level of exposure (e.g. 1: controlled keyboard
> access only,
> 10: Internet connection without filtering).
> Some customers also want to know the difficulty
> level to exploit or
> knowledge level required by the attacker (e.g. 1:
> needs to be able
> to move a mouse, 10: strong reverse engineering,
> assembler coding,
> machine level knowledge on several platforms etc.
> required). But this
> is a trap - if there is a tool or exploit which you
> dont know, or is
> released some days/weeks later, the difficulty drops
> - but nobody will
> update a table in a report in return.
>
> Cheers,
> Marc
====================================================================
> Marc Heuse
> n.runs GmbH
> Mobile Phone: +49-160-98925941
> Key fingerprint = AE3F CDC0 8C7B 8797 BEAC  4BF8
> EC8F E64B 0A84 EA10
====================================================================
>  
> -----Original Message-----
> From: RSMC [mailto:smcsoc () yahoo es] 
> Sent: Montag, 31. Oktober 2005 14:57
> To: pen-test () securityfocus com
> Subject: Risk metrics
>
> Hi,
>
> As OSSTMM states, "Reports must use only qualitative
> metrics for gauging risks based on industry accepted
> methods".
> What metrics are more suitable to use in pen-testing
> services?
>
> Thanks in advance,
>
> Rafael San Miguel Carrasco
------------------------------------------------------------------------------
> Audit your website security with Acunetix Web
> Vulnerability Scanner: 
>
> Hackers are concentrating their efforts on attacking
> applications on your 
> website. Up to 75% of cyber attacks are launched on
> shopping carts, forms, 
> login pages, dynamic content etc. Firewalls, SSL and
> locked-down servers are 
> futile against web application hacking. Check your
> website for vulnerabilities 
> to SQL injection, Cross site scripting and other web
> attacks before hackers do! 
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
>
------------------------------------------------------------------------------
> Audit your website security with Acunetix Web
> Vulnerability Scanner: 
>
> Hackers are concentrating their efforts on attacking
> applications on your 
> website. Up to 75% of cyber attacks are launched on
> shopping carts, forms, 
> login pages, dynamic content etc. Firewalls, SSL and
> locked-down servers are 
> futile against web application hacking. Check your
> website for vulnerabilities 
> to SQL injection, Cross site scripting and other web
> attacks before hackers do! 
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
>



                
__________________________________ 
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------