Re: Level of Exploitation

["Anthony Cicalla" <anthony.cicalla () gmail com>]

exploitable sql injection is severe or level 5 regarding pci compliance.

On Fri, Dec 5, 2008 at 11:19 AM, Shenk, Jerry A
<jshenk () decommunications com> wrote:
> <soapbox mode>
> I hate to "pile on" but this plea to avoid the "high" rating can't be
> overstated.  I have seen a lot of reports that rated things as high that
> didn't give up ANY information.  One gave a login prompt on a firewall a
> high risk.  Digging into it, the username was some crazy 15 characters
> or something and a decent password.  There's nothing "rating room" left
> if they actually compromise a host.  It's the whole "boy who cried wolf"
> story
> </soapbox mode>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of Matthew Zimmerman
> Sent: Thursday, December 04, 2008 9:12 AM
> To: Adriel T. Desautels
> Cc: pentestr; pen-test () securityfocus com
> Subject: Re: Level of Exploitation
>
> On Wed, Dec 3, 2008 at 2:59 PM, Adriel T. Desautels
> <ad_lists () netragard com> wrote:
> > What level of access were you able to gain with SQL Injection?
> Yah, and where? ;)
>
> Seriously though, since your client is the Federal Government, if
> we're talking about non-classified non-national-security systems, then
> they're going to be following NIST requirements.  Look at NIST 800-30
> [1] for guidance on how to apply risk ratings to vulnerabilities.  I
> assume the "level of exploitation" is the amount of risk to the
> agency.
>
> And please don't rate items as "high" because it makes you look good
> to the executives.  Rate them for what they're worth.  Risks are in
> relation to the agency, not to the system.  (Meaning a system with a
> FIPS 199 risk level of Moderate cannot possibly have a vulnerability
> that is a High risk to the agency.)
>
> [1] - http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
>
> Matt Z
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> ------------------------------------------------------------------------
>
>
> **DISCLAIMER
> This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which 
> they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the 
> intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the 
> message. If you have received this communication in error, please notify the sender and delete this e-mail message. 
> The contents do not represent the opinion of D&E except to the extent that it relates to their official business.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> ------------------------------------------------------------------------



-- 
Anthony,

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------