Re: Level of Exploitation

[ArcSighter <arcsighter () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

GT GERONIMO, Frederick Joseph B. wrote:
> I guess what Egon is saying is that an Auditor would need to know first
> the classification of data, and what importance the company gives to
> each classification of data. Definitely, data that are most important
> (ex. Top Secret, Confidential, etc.) should have more protection,
> therefore, any vulnerabilities that would leave those data would most
> likely have a High Risk rating. But, for some companies, risk is
> computed for, with likelihood as one factor, which may lower the risk
> rating of a vulnerability (ex. Calamity that destroys two redundant
> sites).
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of Egon Braun
> Sent: Thursday, December 11, 2008 8:43 PM
> To: pen-test () securityfocus com
> Subject: Re: Level of Exploitation
>
> I have learned with experience that
> what makes a flaw in a computer environment a HIG PRIORITY FLAW is the
> one that compromises the INFORMATION, not the server.
>
> Servers can always be replaced, reconfigured, updated and so one. You
> can always (in a last
> option) to unplug it.
>
> However, is the information that we from the security area should be
> focused on.
>
> What is more important for General Motors?
> To have one dept. without internet because a DoS attack or to have its
> new cars drawing stolen be a cracker?
>
> I consider HIGH, just the flaw that could give access to the information
> of the company, the others are always MEDIUM or LOW.
>
> Of course, this tip does not apply to every case.
> For example, in a shopping mall plublic internet area, the HIG PRIORITY
> is to have the internet access ALWAYS ON. There is no information to be
> secured.
>
> And we have lots of other cases ...
>
> The best is to feel the company and think about what is the "tresure" of
> the client, and try to protect best it.
>
> We from IT like to protect servers because we love computers, but often
> the problem is not in the servers but within people, policies, etc.
> --
> Egon Braun <mundoalem () gmail com>
> --
> Egon Braun <mundoalem () gmail com>
>
> This e-mail message (including attachments, if any) is intended for the use of the individual or the entity to whom 
> it is addressed and may contain information that is privileged, proprietary, confidential and exempt from disclosure. 
> If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this 
> communication is strictly prohibited. If you have received this communication in error, please notify the sender and 
> delete this E-mail message immediately.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> ------------------------------------------------------------------------
Besides pen-tester, once in time I was performing as network
administrator. I think the Auditor's job is to assess vulnerability
risk. not data risk. The company and its incident response team should
have established a politic that reflects all related with risk
assessment, politics, and incident response, the value of data,
downtime, etc. The auditor's job is to evaluate how a vulnerability
could compromise the security of the network and hosts, actually in your
terms: integrity of WHATEVER data the servers or workstations hold, not
to probe anything beyond that. And contrary to your thinkings,
pen-testers estimate the flaw only by its implications; for example, if
the external security could be circumvented and ANY workstation INSIDE
the internal LAN is compromised, that would be a HIGH PRIORITY
vulnerability, even in the case that the workstation only holds games;
that host could be used as a gateway or abused in it's trust
relationships to compromise other workstations/servers, those where the
information is actually valuable.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJQnYqH+KgkfcIQ8cRAgpGAJ9o73+MWccP6omufWhWE/XXQ9BcnwCgnbGD
57krALwOGlnpOLj/1pDgbvk=
=4wrb
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------