Penetration Testing mailing list archives
RE: Risk metrics
From: Michael Gargiullo <mgargiullo () pvtpt com>
Date: Wed, 02 Nov 2005 10:49:31 -0500
I agree with Marc completely. Only the company can give you those numbers. It's management's job to determine what their assets are, and costs involved if they loose those assets. You, as the Pen Tester, cannot determine what the value of a certain machine or service is to the company. You can however, tell them what the low hanging fruit is, and take a best guess as to what their "Crown Jewels" are. So you'd go for the SQL server, and the Active Directory, and the Radius Server, etc... As for explaining difficulty, if you have in depth knowledge of how the vulnerability works, and if an exploit is in the wild (proof of concepts count), you can state explicitly "At this moment in time, this is difficult to exploit, but that could change tomorrow". Remember, Vulnerability scans and pen tests are a snapshot (A moment in time). Networks change, some change yearly, some change monthly, and some networks change hourly. -Mike -----Original Message----- From: Marc Heuse [mailto:Marc.Heuse () nruns com] Sent: Tuesday, November 01, 2005 3:22 AM To: 'RSMC'; pen-test () securityfocus com Subject: RE: Risk metrics Hi, if there would be standard metrics, they would have been in the guide :-) to be serious: in risk management there are standard metrics. the most used one is to determine Likelyhood and Impact of a risk. These are then described as low/medium/high (or very low, low, medium, high, criticak; or ... well you get the picture). Or you put values in there, e.g. liklyhood that it happens once a year is 20%, impact would be $10k. This is then called Expected Anual Loss, or Anual Loss Expectancy. And then there is CRAMM (british standard) which uses values from 1-10 for these. Basically it is very hard to use likelyhood and impact in a pentest report. Who can convince everyone that the liklyhood of exploition of a weak password is xx%? It just doesnt work. Then the impact - if you are not working within the company for whom you are performing the pentest, it is very, very hard to have an idea of the costs. So for pentesting - especially when providing pentest services - other metrics are needed. But there are no standards for that.
From my philosophy and experience there are just a few metrics helpful:
criticality of a vulnerability (metric like 1: unharmful information gathering to 10: remote control of a complete network/infrastructure), and level of exposure (e.g. 1: controlled keyboard access only, 10: Internet connection without filtering). Some customers also want to know the difficulty level to exploit or knowledge level required by the attacker (e.g. 1: needs to be able to move a mouse, 10: strong reverse engineering, assembler coding, machine level knowledge on several platforms etc. required). But this is a trap - if there is a tool or exploit which you dont know, or is released some days/weeks later, the difficulty drops - but nobody will update a table in a report in return. Cheers, Marc ==================================================================== Marc Heuse n.runs GmbH Mobile Phone: +49-160-98925941 Key fingerprint = AE3F CDC0 8C7B 8797 BEAC 4BF8 EC8F E64B 0A84 EA10 ==================================================================== -----Original Message----- From: RSMC [mailto:smcsoc () yahoo es] Sent: Montag, 31. Oktober 2005 14:57 To: pen-test () securityfocus com Subject: Risk metrics Hi, As OSSTMM states, "Reports must use only qualitative metrics for gauging risks based on industry accepted methods". What metrics are more suitable to use in pen-testing services? Thanks in advance, Rafael San Miguel Carrasco ------------------------------------------------------------------------ ------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------ ------- ------------------------------------------------------------------------ ------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------ ------- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: Risk metrics Marc Heuse (Nov 01)
- RE: Risk metrics tcp fin (Nov 03)
- <Possible follow-ups>
- RE: Risk metrics Michael Gargiullo (Nov 03)
- Re: Risk metrics Pete Herzog (Nov 04)
- RE: Risk metrics Marc Heuse (Nov 05)
- Re: Risk metrics Pete Herzog (Nov 05)
- Re: Risk metrics v b (Nov 05)
- Re: Risk metrics Pete Herzog (Nov 04)
- Re: RE: Risk metrics inet_inaddr (Nov 05)