Penetration Testing mailing list archives

Re: Level of Exploitation

From: Egon Braun <mundoalem () gmail com>
Date: Fri, 12 Dec 2008 15:43:42 -0200

Besides pen-tester, once in time I was performing as network
administrator. I think the Auditor's job is to assess vulnerability
risk. not data risk. The company and its incident response team should
have established a politic that reflects all related with risk
assessment, politics, and incident response, the value of data,
downtime, etc. The auditor's job is to evaluate how a vulnerability
could compromise the security of the network and hosts, actually in your
terms: integrity of WHATEVER data the servers or workstations hold, not
to probe anything beyond that. And contrary to your thinkings,
pen-testers estimate the flaw only by its implications; for example, if
the external security could be circumvented and ANY workstation INSIDE
the internal LAN is compromised, that would be a HIGH PRIORITY
vulnerability, even in the case that the workstation only holds games;
that host could be used as a gateway or abused in it's trust
relationships to compromise other workstations/servers, those where the
information is actually valuable.
=20


I agree with you, but that leads in what I was saying.
What is the basis to determine that a flaw is HIGH or
LOW risk?

As I am reading this thread it makes me think
that this is an self/abstract opinion that only the
pen-tester working together with the company would
value rightly.

Some stuff should be consider HIGH PRIORITY in some
companies but not in others. There are lots of
variables in this questions, and only experience
and practice would give the right answers.

Reading your opinion makes me believe that in this
case the pentester should not rake the flaws, but just
list it! The IT personal from the client company should
then rake them as HIGH, MEDIUM or LOW.

But I know this does not sound professional! In this
case I would say. Rake the flaw whatever you think it is!
Your knowledge will be the judge! Your experience! Your
feelings ... whatver ...

If you know any judgement policies/standards please
tell me.

I think this thread will not lead to any more good.
It's too personal! Depends on the client and the pen-tester.

IMHO we could help more trading our experiences than
judging anything. :)

---
Egon Braun
-- 
Egon Braun <mundoalem () gmail com>

Attachment: _bin
Description:

Current thread:

Re: Rogue Access Point Alerting, (continued)
- - - Re: Rogue Access Point Alerting Robin Wood (Dec 05)
- Re: Level of Exploitation Adriel T. Desautels (Dec 03)
  - Re: Level of Exploitation Matthew Zimmerman (Dec 05)
    - Re: Level of Exploitation Adriel T. Desautels (Dec 05)
    - RE: Level of Exploitation Shenk, Jerry A (Dec 05)
    - Re: Level of Exploitation Anthony Cicalla (Dec 05)
    - Re: Level of Exploitation gold flake (Dec 07)
    - Re: Level of Exploitation Egon Braun (Dec 11)
    - RE: Level of Exploitation GT GERONIMO, Frederick Joseph B. (Dec 11)
    - Re: Level of Exploitation ArcSighter (Dec 12)
    - Re: Level of Exploitation Egon Braun (Dec 12)
    - Re: Level of Exploitation ArcSighter Elite (Dec 12)
    - Re: Level of Exploitation Egon Braun (Dec 12)
- RE: Level of Exploitation Shenk, Jerry A (Dec 05)