RE: to be or not to be of vulunerbility assesment report

[Sheldon Malm <Sheldon_Malm () rapid7 com>]

As a follow-up ... if by "Resource Required" you mean the type of human resource (rather than expertise level), then 
you would replace "Standard (non specialist)" with values such as "Windows Administrator", "Oracle Administrator", 
etc.; or more specific details if you know who the asset owner/custodian is (jsmith, djones, etc.).

Using this type of table allows you to sort by Resource type in addition to the default view, so you can show all 
actions required by the Oracle Administrator, all actions required by djones, etc.




Sheldon Malm
Senior Director, Security Strategy & Alliances


http://www.rapid7.com
http://www.metasploit.com


-----Original Message-----
From: Sheldon Malm 
Sent: Monday, January 31, 2011 7:16 AM
To: 'a.alii85 () gmail com'; security-basics () securityfocus com
Subject: RE: to be or not to be of vulunerbility assesment report

You've hit on a very important distinction, and one of the primary drivers for the NeXpose Remediation Report ...

Applying the attributes of risk, effort required, and resources required to either the exposure (vulnerability) or 
remediation/mitigation (i.e. patch), does not work when you consider the logical classes of the objects that you're 
analyzing.  There is no risk to a patch (other than introducing new risk if the patch breaks a custom application, 
etc.); there are no resources required or effort required for an exposure (vulnerability).

Since there is often a 1-to-1 mapping of exposure to remediation/mitigation, it seems like all three of these 
attributes *should* apply to a single object (exposure and/or remediation/mitigation).  In fact, they don't.

I suspect that an exposure-based report is not the one most appropriate for this particular goal, but here's a 
suggestion ... for exposures, I would suggest reporting risk and providing impact and likelihood data if you'd like to 
be more granular in your reporting.  This will provide important information about why the exposures are important, 
however it will result in a long list of vulnerabilities.  If there isn't tolerance for a report with this much 
information, you may choose to trim it down to a "critical" vulnerability list and only include the exposures that meet 
or exceed that risk threshold.

For remediations/mitigations, I would suggest that you report the effort required, resources required, and the amount 
of risk *reduced* by the remediation action.  This will allow you to combine the risk of the multiple exposures into a 
single value and achieve what I *think* is your original intent: to represent the risk reduction, quantity of work, and 
quality of worker(s) associated with each exposure-remediation action (assuming that "resources required" means human 
resources).  The NeXpose Temporal Risk method will be most appropriate for this rollup quantification -- combining CVSS 
Base Scores, for example, doesn't make a lot of sense.

You may want to consider a fourth column to capture the number of exposures remediated by the particular patch.  This, 
in addition to risk reduction, is appropriate for an executive summary.  If you choose to do this, you will now have a 
table that looks something like this:


SECURITY UPDATE (PATCH)  | RISK REDUCED | EXPOSURES REMEDIATED | EFFORT REQUIRED | RESOURCES REQUIRED
                         |              |                      |                 |  
[Update/Patch Identifier]| [e.g. 4,100] | [e.g. 8]             | [e.g. 3 hours]  | [e.g. Standard (non specialist)]


I hope this helps.





Sheldon Malm
Senior Director, Security Strategy & Alliances


http://www.rapid7.com
http://www.metasploit.com


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of a.alii85 () gmail com
Sent: Friday, January 28, 2011 1:02 AM
To: security-basics () securityfocus com
Subject: to be or not to be of vulunerbility assesment report

hey sec techies :)

I'm in the process of making a vulnerability assessment report. The report contains high-level vulnerabilities details 
that i have identified using the scan tools such as nessus and nexpose. 

In the non-technical (executive summary) portion i have made a table which describe three things 
to its readers.

1) risk
2) effort required
3) resources required

These values are taken from instances of each vulnerabilities. These instances form different attack vector for the 
hacker to get into the system.   

Now here comes the problem or the interesting part; in the dynamic analysis report i have been given dozens of 
vulnerabilities which are associated with missing patches (neXpose full audit report). Now each missing patch fixes 
around 20 or more vulnerability but my table is based on 1-1 relationship not 1-Many. So i have now the mapping issue 
how do i relate a multiples vulnerability effort requirement,risk and resource required attribute to a single missing 
patch.

I don't want to break down the patches into individual vulnerabilities as that would add un-necessary volume something 
the higher management would hate and dislike to the point they want to throw the report into the dustbin. 

So what should i do? Do i really have to write a missing patch as in true classic definition of what is a 
"vulnerability" which is weakness that it....because all this is saying that your system is vulnerable because you 
forgot to update your anti-virus ( or something trivial like this)

These single instance / point vulnerabilities are more fun because they exists when the admins are confident about 
their system that it is decently patched and they are safe but they are not aware that most of the times these 
independent and third-parties services and packages existing on your platform environment (e.g oracle) needs patching 
and security tightening too.

So guys please help me devise a workaround this problem an easy and effective solution would be much appreciated and 
welcomed. Thanks

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------