Penetration Testing mailing list archives
Re: Level of Exploitation
From: ArcSighter <arcsighter () gmail com>
Date: Fri, 12 Dec 2008 09:33:14 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 GT GERONIMO, Frederick Joseph B. wrote:
I guess what Egon is saying is that an Auditor would need to know first the classification of data, and what importance the company gives to each classification of data. Definitely, data that are most important (ex. Top Secret, Confidential, etc.) should have more protection, therefore, any vulnerabilities that would leave those data would most likely have a High Risk rating. But, for some companies, risk is computed for, with likelihood as one factor, which may lower the risk rating of a vulnerability (ex. Calamity that destroys two redundant sites). -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Egon Braun Sent: Thursday, December 11, 2008 8:43 PM To: pen-test () securityfocus com Subject: Re: Level of Exploitation I have learned with experience that what makes a flaw in a computer environment a HIG PRIORITY FLAW is the one that compromises the INFORMATION, not the server. Servers can always be replaced, reconfigured, updated and so one. You can always (in a last option) to unplug it. However, is the information that we from the security area should be focused on. What is more important for General Motors? To have one dept. without internet because a DoS attack or to have its new cars drawing stolen be a cracker? I consider HIGH, just the flaw that could give access to the information of the company, the others are always MEDIUM or LOW. Of course, this tip does not apply to every case. For example, in a shopping mall plublic internet area, the HIG PRIORITY is to have the internet access ALWAYS ON. There is no information to be secured. And we have lots of other cases ... The best is to feel the company and think about what is the "tresure" of the client, and try to protect best it. We from IT like to protect servers because we love computers, but often the problem is not in the servers but within people, policies, etc. -- Egon Braun <mundoalem () gmail com> -- Egon Braun <mundoalem () gmail com> This e-mail message (including attachments, if any) is intended for the use of the individual or the entity to whom it is addressed and may contain information that is privileged, proprietary, confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender and delete this E-mail message immediately. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Besides pen-tester, once in time I was performing as network administrator. I think the Auditor's job is to assess vulnerability risk. not data risk. The company and its incident response team should have established a politic that reflects all related with risk assessment, politics, and incident response, the value of data, downtime, etc. The auditor's job is to evaluate how a vulnerability could compromise the security of the network and hosts, actually in your terms: integrity of WHATEVER data the servers or workstations hold, not to probe anything beyond that. And contrary to your thinkings, pen-testers estimate the flaw only by its implications; for example, if the external security could be circumvented and ANY workstation INSIDE the internal LAN is compromised, that would be a HIGH PRIORITY vulnerability, even in the case that the workstation only holds games; that host could be used as a gateway or abused in it's trust relationships to compromise other workstations/servers, those where the information is actually valuable. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJQnYqH+KgkfcIQ8cRAgpGAJ9o73+MWccP6omufWhWE/XXQ9BcnwCgnbGD 57krALwOGlnpOLj/1pDgbvk= =4wrb -----END PGP SIGNATURE----- ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Re: Rogue Access Point Alerting, (continued)
- Re: Rogue Access Point Alerting Joshua Wright (Dec 05)
- Re: Rogue Access Point Alerting Robin Wood (Dec 05)
- Re: Level of Exploitation Adriel T. Desautels (Dec 03)
- Re: Level of Exploitation Matthew Zimmerman (Dec 05)
- Re: Level of Exploitation Adriel T. Desautels (Dec 05)
- RE: Level of Exploitation Shenk, Jerry A (Dec 05)
- Re: Level of Exploitation Anthony Cicalla (Dec 05)
- Re: Level of Exploitation gold flake (Dec 07)
- Re: Level of Exploitation Egon Braun (Dec 11)
- RE: Level of Exploitation GT GERONIMO, Frederick Joseph B. (Dec 11)
- Re: Level of Exploitation ArcSighter (Dec 12)
- Re: Level of Exploitation Egon Braun (Dec 12)
- Re: Level of Exploitation ArcSighter Elite (Dec 12)
- Re: Level of Exploitation Egon Braun (Dec 12)
- Re: Level of Exploitation Matthew Zimmerman (Dec 05)