Re: Level of Exploitation

["Adriel T. Desautels" <ad_lists () netragard com>]

> "Meaning a system with a FIPS 199 risk level of Moderate cannot  
> possibly have a vulnerability that is a High risk to the agency."

If you can penetrate a system with a moderate risk level that system  
will inevitably give deeper access than you had initially. If you  
perform distributed metastasis properly then the risk isn't really  
moderate any more isn't it.

NIST is all well and good, but it doesn't teach you how to test  
properly. It just tells you what the minimums are from a very high  
level perspective.

On Dec 4, 2008, at 9:12 AM, Matthew Zimmerman wrote:

> On Wed, Dec 3, 2008 at 2:59 PM, Adriel T. Desautels
> <ad_lists () netragard com> wrote:
> > What level of access were you able to gain with SQL Injection?
> Yah, and where? ;)
>
> Seriously though, since your client is the Federal Government, if
> we're talking about non-classified non-national-security systems, then
> they're going to be following NIST requirements.  Look at NIST 800-30
> [1] for guidance on how to apply risk ratings to vulnerabilities.  I
> assume the "level of exploitation" is the amount of risk to the
> agency.
>
> And please don't rate items as "high" because it makes you look good
> to the executives.  Rate them for what they're worth.  Risks are in
> relation to the agency, not to the system.  (Meaning a system with a
> FIPS 199 risk level of Moderate cannot possibly have a vulnerability
> that is a High risk to the agency.)
>
> [1] - http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
>
> Matt Z

Adriel T. Desautels
ad_lists () netragard com




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------