Re: Vulnebrability level definition

• Previous message: Philip Bartholomew: "Freelance Pen-testers"
• In reply to: Per Niila Albinsson: "Re: Vulnebrability level definition"
• Next in thread: Rob Shein: "RE: Vulnebrability level definition"
• Reply: Rob Shein: "RE: Vulnebrability level definition"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 12 Feb 2003 10:41:52 +0000
To: pen-test@securityfocus.com, security-basics@securityfocus.com
From: Damir Rajnovic <gaus@cisco.com>

At 22:57 11/02/2003 +0100, Per Niila Albinsson wrote:
>There would also be a need for probablity which I do guess is very subjectivem
>but do depends of the customers enviroment. The probability for someone
>exploiting a vulnerabliity would be large on a public accessible server,
>medium for a server on the internal network, and low on a network with no
>users.

Amen to this. My personal belief is that one can not say what is the
severity of a bug. It all depends on how the equipment is used. It
may not be much about if it is a large network or not but if that
feature is used. Another question is "What is worth of your data?".
If some bug will expose something that is public anyway then it
boils down a nuisance. If it will expose your confidential data then
it is very serious indeed. The vendor can not know how a particular
feature will be used in a customer's environment. Yes, a vendor may
have some idea but, is it valid in all cases?

Gaus
==============
Damir Rajnovic <psirt@cisco.com>, PSIRT Incident Manager, Cisco Systems
<http://www.cisco.com/go/psirt> Telephone: +44 7715 546 033
200 Longwater Avenue, Green Park, Reading, Berkshire RG2 6GB, GB
==============
There are no insolvable problems.
The question is can you accept the solution?

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: The C][A: "Netware Again: New eDirectory with NDS v8.78"
• Previous message: Philip Bartholomew: "Freelance Pen-testers"
• In reply to: Per Niila Albinsson: "Re: Vulnebrability level definition"
• Next in thread: Rob Shein: "RE: Vulnebrability level definition"
• Reply: Rob Shein: "RE: Vulnebrability level definition"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Medium Scale Scanning Best Practices ... network, ... > vulnerability rather than having to scan the entire network each time. ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... (Pen-Test) RE: MORE: Tools for Detecting Wireless APs - from the wire side. ... might be able to search through your dhcp logs and pull all of the ap mac ... a network, i would probably turn on dhcp, then let it go. ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... (Pen-Test) RE: Using ARP to map a network ... I'm not quite sure how ARP harvesting is passive, ... > a network based on ARP tables. ... > This list is provided by the SecurityFocus Security ... > SecurityFocus' SIA service which automatically alerts you to ... (Pen-Test) RE: Opinions on ClicktoSecures Hailstorm Product ... Opinions on ClicktoSecure's Hailstorm Product ... inputs from the network - custom ISAPI interfaces, ... end-user and the software vendor find problems _before_ the hackers do - ... This list is provided by the SecurityFocus Security Intelligence Alert ... (Pen-Test) RE: Using ARP to map a network ... The only way to truly passively map a network, ... >> there are machines that infrequently communicate outwards ... For more information on SecurityFocus' SIA ... (Pen-Test)