Re: Level of Exploitation

[ArcSighter Elite <arcsighter () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Egon Braun wrote:
> > Besides pen-tester, once in time I was performing as network
> > administrator. I think the Auditor's job is to assess vulnerability
> > risk. not data risk. The company and its incident response team should
> > have established a politic that reflects all related with risk
> > assessment, politics, and incident response, the value of data,
> > downtime, etc. The auditor's job is to evaluate how a vulnerability
> > could compromise the security of the network and hosts, actually in your
> > terms: integrity of WHATEVER data the servers or workstations hold, not
> > to probe anything beyond that. And contrary to your thinkings,
> > pen-testers estimate the flaw only by its implications; for example, if
> > the external security could be circumvented and ANY workstation INSIDE
> > the internal LAN is compromised, that would be a HIGH PRIORITY
> > vulnerability, even in the case that the workstation only holds games;
> > that host could be used as a gateway or abused in it's trust
> > relationships to compromise other workstations/servers, those where the
> > information is actually valuable.
> > =20
>
> I agree with you, but that leads in what I was saying.
> What is the basis to determine that a flaw is HIGH or
> LOW risk?
>
> As I am reading this thread it makes me think
> that this is an self/abstract opinion that only the
> pen-tester working together with the company would
> value rightly.
>
> Some stuff should be consider HIGH PRIORITY in some
> companies but not in others. There are lots of
> variables in this questions, and only experience
> and practice would give the right answers.
>
> Reading your opinion makes me believe that in this
> case the pentester should not rake the flaws, but just
> list it! The IT personal from the client company should
> then rake them as HIGH, MEDIUM or LOW.
>
> But I know this does not sound professional! In this
> case I would say. Rake the flaw whatever you think it is!
> Your knowledge will be the judge! Your experience! Your
> feelings ... whatver ...
>
> If you know any judgement policies/standards please
> tell me.
>
> I think this thread will not lead to any more good.
> It's too personal! Depends on the client and the pen-tester.
>
> IMHO we could help more trading our experiences than
> judging anything. :)
>
> ---
> Egon Braun

I just mean pen-testers should obviously assess vulnerability risk, but
in terms of the vulnerability itself. You assess vulnerabilies based on
the level of security compromise that could be achieved, that's how you
difference the fact of using of plain-text or vulnerable protocols
sensible to eavesdropping, from running a vulnerable service as root, or
running it from a chroot jail, for example. SQL injection in fact, is
actually a high risk, because there are many attack avaliable to
compromise the data integrity of the database, or even the host. Even on
those cases, there is a distinct risk in a web application connecting
with DML privilegies or another using only granted selects to particular
tables or even fields. The topic is obscure, but here is how I see it:
assess the vulnerability, not the computer data, or the company, or the
world.

Greetings.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJQtmBH+KgkfcIQ8cRAiGCAKC/MOgLFuf3r4zeD9T0d9HKWyZp2gCcDdCo
weCQ4UT6nt+lrA0m/q5Z6ow=
=L1jn
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------