Dailydave mailing list archives
Re: Faster, smashter.
From: "Jon Passki" <jon.passki () hursk com>
Date: Wed, 10 Dec 2008 04:55:07 +0900
On Tue, Dec 9, 2008 at 11:45 PM, Dave Aitel <dave () immunityinc com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 One technique we're doing this week with a client is taking an attack tree and marking it up with dollar values. I.E. if you wanted to buy an 0day in X component, how much would it cost? This then is a simple summation to produce a "how much is it to get into the internal network from the internet" which the business can use to help them decide yay/nay on the project as a whole depending on their own view of the threat and the value of the information they are protecting. - -dave
Care to share the generalized outcome? Perhaps something like the client chose a branch of 4 0days that had a value between $10,000 and $50,000? Assuming you had a way to state x, y, & z 0days exist (even if you didn't have access to them) with some level of certainty, then you probably have a very valid method of at least quantifying exposure. Heck, depending upon the level of certainty, I would pay you as a service to help me quantify my clients' exposures. Jon Passki pgp: 1BB0 A946 927B 93C3 ED6A 0466 6692 6C2C 84BE 4122
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Faster, smashter. Dave Aitel (Dec 08)
- Re: Faster, smashter. Fisher, Dennis (Dec 08)
- Re: Faster, smashter. Dragos Ruiu (Dec 08)
- Re: Faster, smashter. Halvar Flake (Dec 09)
- Re: Faster, smashter. Dave Aitel (Dec 09)
- Re: Faster, smashter. Rafal @ IsHackingYou.com (Dec 09)
- Re: Faster, smashter. dan (Dec 09)
- Re: Faster, smashter. Marc Maiffret (Dec 10)
- Re: Faster, smashter. Dragos Ruiu (Dec 08)
- Re: Faster, smashter. Halvar Flake (Dec 09)
- Re: Faster, smashter. security curmudgeon (Dec 09)
- Re: Faster, smashter. Jon Passki (Dec 09)
- Re: Faster, smashter. Fisher, Dennis (Dec 08)