Penetration Testing mailing list archives
RE: Risk metrics
From: "Marc Heuse" <Marc.Heuse () nruns com>
Date: Tue, 1 Nov 2005 09:22:06 +0100
Hi, if there would be standard metrics, they would have been in the guide :-) to be serious: in risk management there are standard metrics. the most used one is to determine Likelyhood and Impact of a risk. These are then described as low/medium/high (or very low, low, medium, high, criticak; or ... well you get the picture). Or you put values in there, e.g. liklyhood that it happens once a year is 20%, impact would be $10k. This is then called Expected Anual Loss, or Anual Loss Expectancy. And then there is CRAMM (british standard) which uses values from 1-10 for these. Basically it is very hard to use likelyhood and impact in a pentest report. Who can convince everyone that the liklyhood of exploition of a weak password is xx%? It just doesnt work. Then the impact - if you are not working within the company for whom you are performing the pentest, it is very, very hard to have an idea of the costs. So for pentesting - especially when providing pentest services - other metrics are needed. But there are no standards for that.
From my philosophy and experience there are just a few metrics helpful:
criticality of a vulnerability (metric like 1: unharmful information gathering to 10: remote control of a complete network/infrastructure), and level of exposure (e.g. 1: controlled keyboard access only, 10: Internet connection without filtering). Some customers also want to know the difficulty level to exploit or knowledge level required by the attacker (e.g. 1: needs to be able to move a mouse, 10: strong reverse engineering, assembler coding, machine level knowledge on several platforms etc. required). But this is a trap - if there is a tool or exploit which you dont know, or is released some days/weeks later, the difficulty drops - but nobody will update a table in a report in return. Cheers, Marc ==================================================================== Marc Heuse n.runs GmbH Mobile Phone: +49-160-98925941 Key fingerprint = AE3F CDC0 8C7B 8797 BEAC 4BF8 EC8F E64B 0A84 EA10 ==================================================================== -----Original Message----- From: RSMC [mailto:smcsoc () yahoo es] Sent: Montag, 31. Oktober 2005 14:57 To: pen-test () securityfocus com Subject: Risk metrics Hi, As OSSTMM states, "Reports must use only qualitative metrics for gauging risks based on industry accepted methods". What metrics are more suitable to use in pen-testing services? Thanks in advance, Rafael San Miguel Carrasco ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------------- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: Risk metrics Marc Heuse (Nov 01)
- RE: Risk metrics tcp fin (Nov 03)
- <Possible follow-ups>
- RE: Risk metrics Michael Gargiullo (Nov 03)
- Re: Risk metrics Pete Herzog (Nov 04)
- RE: Risk metrics Marc Heuse (Nov 05)
- Re: Risk metrics Pete Herzog (Nov 05)
- Re: Risk metrics v b (Nov 05)
- Re: Risk metrics Pete Herzog (Nov 04)
- Re: RE: Risk metrics inet_inaddr (Nov 05)