Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Security Grade

From: "Eddie Block" <eddie.block () gmail com>
Date: Tue, 11 Dec 2007 20:45:11 -0600
Francois,

Thanks for the feekback.  I agree that this system could lead to
mis-perception.  But the "stop-light" is merely a tool to begin the
discussion.

As you stated, once I have administrative control over a system, its
only a matter of time before I own the whole network.  Thus, if I can
gain administrative control, it is only a matter of time until I
uncover confidential information.  Thus, in practice, gaining control
of a device will inevitably lead to a "red" rating.

Turn this the other way.  If a company has done an exceptional job of
locking down systems and denies me access, but they have inadvertently
exposed confidential information (ie. placed client information on a
webserver in a "secret" directory) then they need to know there is a
problem.

Going into more of a philosophical approach, I've always believed that
the true impact of the report is in the narrative, whether that is
delivered in the report, de-brief, or both.  As an outside consultant
each company will have unique business processes that I will never
know.  If I can paint the picture clearly and in a non-threatening
way, executive management will usually start sharing with me how much
this would affect their business processes or client trust.  I also
highlight the statutory and regulatory implications of lax security.
Using a clearly defined criteria has the perception of fairness.

I don't think there is one "correct" answer to the original question.
My method has proven successful for me over the past few years and my
clients seem happy with my product.  I'm sure that a 1-10 scale would
be equally effective but, for my personal disposition, I find that
overly complex.  My impression is that I would also encounter people
arguing they should be a 9 instead of an 8.  With such a limited
criteria, there is no real room to argue.  Thus we are able to jump
straight into remediation.

Thank you again for your reply,
Eddie

On Dec 11, 2007 1:02 PM, Francois Larouche
<francois.larouche-ml () sqlpowerinjector com> wrote:

Hi Eddie,

usually I try to be out of all kind of philosophical and subjective
threads but here I had to say something. At least bring a different view
of this topic.

The way you rate the real threat can lead the management to think that
the problem is not that grave, especially with only 3 levels of
security. I'm concerned about the fact that "Yellow" grade will leave
the executive management with the impression that: "ok, Yellow is not
too bad at least it's not Red..."

And from there not unblocking sufficient budget and efforts or have a
false sense of security.

The reason why I'm concerned about is that both your criteria are really
a high threat to the company in my opinion.

_Gain administrative control of the target_:

That one speaks for itself... It's common knowledge that if I own a
machine on your system I "generally" own your network. After that it's
just a matter of effort and time. How bad could that be? I leave it to
your imagination. So from there you can get Number 2.

_Retrieve proprietary or confidential information_:

Well that I guess depends on how critical is the data. But as far as I'm
concerned should be treated accordingly. However, I believe that if I
can get all the credit card info from all the customers it's pretty
critical to my eyes... Or get all the salary of the employees in the
company to name a few examples.

I believe that yes executive management wants concise and no technical
issues but they are not pure idiot and can understand the difference
between having the customer's credit card information stolen with only
having the pictures of their employees accessed.

Like I said at the beginning it's rather a subjective topic and they are
many good ways to grade the threats of a pen testing. The only criteria
is that all the actors in the process understand the true threat(s)
behind to act accordingly. And if you Eddie had no problem to pass the
message to them then in the absolute your system was good for your
company but I still think it's a dangerous way to do things in general.

My two cents

Francois



I used to use a three results (Red, Yellow, Green) system based on two criteria:

First:  Did I gain administrative control of target system(s).
Second: Did I retrieve proprietary or confidential information.

 If I was unable to achieve either objective, the client received a
"green" rating.
If I was able to achieve only one objective, the client received a
"yellow" rating.
If I was able to achieve both objectives, the client received a "red" rating.

It sounds very simplistic, but using that system made the results
immediately clear to executive management (who really didn't care
about the technical issues.)  It also makes it very simple to create
graphs comparing other clients by industry, size, budget, etc.  Again,
this gives the executive summary clarity and impact.

Thanks,
Eddie

On Dec 6, 2007 5:17 AM, 11ack3r <11ack3r () gmail com> wrote:


Hi,

Is there a security criteria or matrix against which we could grade
customer's pen test results? Like assigning them grade between A to E
or 1 to 10.

*.*









------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------








------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: