Penetration Testing mailing list archives
Re: Experiences with company nCircle and their IP360 product
From: Tom Stracener <strace () gmail com>
Date: Fri, 25 Nov 2005 16:10:14 -0600
Coen, On the issue of unique or distinguishing features I would comment on nCircle's quantitative risk metrics for vulnerabilities. I created the formulas for this system back in 1999, and worked with other founding members to further refine and enhance the system over the next couple of years. Since then nCircle has continued to make modifications and improvements to the core risk analysis algorithms, and the result has been the development of a highly scalable risk analysis metric that allows you to view the risk of vulnerabilities, hosts, and networks at a glance. To help you understand the technical premises of vulnerability metrics, you can think of a vulnerability as having a penetration depth, to what degree does a successful attack correlate with elevated privileges. A sophistication factor, how difficult is it to exploit the vulnerability, what types of exploits, tools, worms, or exploit frameworks exist for the issue. An attack vector, how is the vulnerability exploited. Also, what is the vulnerability life-cycle state in relation to time. In essence, vulnerability risk is sort of parabolic over time, although with the delayed rate of patching and long-term persistence of vulnerabilities, the curve is less parabolic than you would think. These are just a few of the important assumptions. The importance or critically of the system on which a vulnerability is resident, the relation of the vulnerability to the network perimeter, etc., are also key factors. This should give you an idea of the advantage of using quantitative metrics in risk analysis, because you get a weighted generalization of all these factors with the benefit of granularity and succinct mathematical expression. High scoring systems and networks can then get your first attention, a significant advancement over having lists of thousands of low/medium/high qualitative labels. I don't know the extent to which IP360 still uses the factors above, but if you have an opportunity to view its output and reporting, know that the vulnerability and network scoring metrics were not technical wingdings tacked on at the behest of marketing -- but core technical features that have undergone years of serious scrutiny and refinement. Mike Murray has also done some amazing work on vulnerability signature precision. Be sure to check it out: http://www.ncircle.com/pdf/papers/nCircle_Precision_Metrics.pdf Hope my comments interest you. -Tom ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Experiences with company nCircle and their IP360 product Bongers, Coen (Nov 23)
- RE: Experiences with company nCircle and their IP360 product Kyle Starkey (Nov 24)
- RE: Experiences with company nCircle and their IP360 product Glenn D Fournier (Nov 24)
- Re: Experiences with company nCircle and their IP360 product David M. Zendzian (Nov 28)
- Re: Experiences with company nCircle and their IP360 product Harry Hoffman (Nov 28)
- Re: Experiences with company nCircle and their IP360 product Byron Sonne (Nov 29)
- Re: Experiences with company nCircle and their IP360 product David M. Zendzian (Nov 28)
- Re: Experiences with company nCircle and their IP360 product Tom Stracener (Nov 25)
- Re: Experiences with company nCircle and their IP360 product Byron Sonne (Nov 25)
- <Possible follow-ups>
- RE: Experiences with company nCircle and their IP360 product Raines, Tim (Nov 29)