Penetration Testing mailing list archives
Re: RE: Risk metrics
From: inet_inaddr () yahoo com
Date: 5 Nov 2005 08:47:34 -0000
Hi , Totally agreed with the last post. However I have been using following matrix which may be useful . I am not giving u details on critical data or Infrastrucure used to Store, Process , Read the Given critical Data . Considering There is a critical Data D1. Stored and processed , on serrvers S1, S2 ....and Clients C1 and C2. Now vlnerabilities on these systems becomes really High , as compare to other systems which may be vulnerable but not directly connected to Store process or read the Critical Data. Assuming there is enough segregation of Servers and Clients handling critical data as compare to other servers. Vulnerability Directory Traversal Impact (Technical) Root of the System Direct Access to Critical Data : Read Write Time Required for Exploit: Business Impact : High/Medium/Low based on company size and Turn over along with the Ease of executing the Vulnerability Ease of Fix: Hard to Fix (Details may be put after talking to Server owner and Admin based on patch or aplication fixes that may require). Work around : None (If vulnerability can be prevented by blocking port for some time or dropping something at IDS/IPS) OS : Application : Other Possible impact: Getting the Sniffing data from the compromised machine and may get the access to the Critical data if the current server being hacked is not the server handling Critical data directly. Hope this helps. TCP FIN, ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: Risk metrics Marc Heuse (Nov 01)
- RE: Risk metrics tcp fin (Nov 03)
- <Possible follow-ups>
- RE: Risk metrics Michael Gargiullo (Nov 03)
- Re: Risk metrics Pete Herzog (Nov 04)
- RE: Risk metrics Marc Heuse (Nov 05)
- Re: Risk metrics Pete Herzog (Nov 05)
- Re: Risk metrics v b (Nov 05)
- Re: Risk metrics Pete Herzog (Nov 04)
- Re: RE: Risk metrics inet_inaddr (Nov 05)