RE: mapping vulnerabilities into high medium low risk
From: Earl Sammons (ESammons_at_technicacorp.com)
Date: 09/17/03
- Previous message: Stack Buffer: "Firewall Penetration Testing"
- Maybe in reply to: thomasng_at_bigfella.is-a-geek.net: "mapping vulnerabilities into high medium low risk"
- Next in thread: Robert E. Lee: "RE: mapping vulnerabilities into high medium low risk"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'thomasng@bigfella.is-a-geek.net '" <thomasng@bigfella.is-a-geek.net>, "'pen-test@securityfocus.com '" <pen-test@securityfocus.com> Date: Wed, 17 Sep 2003 11:35:28 -0400
icat http://icat.nist.gov/icat.cfm (a CVE front-end) does it as described
below. I'm sure there are other/better/worse ways... just an example.
-Earl
A vulnerability is "high severity" if:
1. it allows a remote attacker to violate the security protection of a
system (i.e. gain some sort of user or root account),
2. it allows a local attack that gains complete control of a system,
3. it is important enough to have an associated CERT/CC advisory.
A vulnerability is "medium severity" if:
1. it does not meet the definition of either "high" or "low" severity.
A vulnerability is "low severity" if:
1. the vulnerability does not typically yield valuable information or
control over a system but instead gives the attacker knowledge that may help
the attacker find and exploit other vulnerabilities.
2. we feel that the vulnerability is inconsequential for most
organizations.
-----Original Message-----
From: thomasng@bigfella.is-a-geek.net
To: pen-test@securityfocus.com
Sent: 9/17/03 4:09 AM
Subject: mapping vulnerabilities into high medium low risk
Hi,
Anyone know any open source methodology about categorizing
vulnerabilities? When doing a Pent Test, I need to categorize a
particular
vulnerability into high medium or low risk. These vulnerabilities may be
a
web application vulnerability or may be a new system vuln that has yet
to
be discovered. So is there any open source methodology that give you a
guide to how to categorize the vuln?
Rgds
Thomas
------------------------------------------------------------------------
--- FREE Trial! New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL and PROFESSIONAL TL software. Fast, reliable vulnerability assessment technology powered by the award-winning FoundScan engine. Try it free for 21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825 ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- FREE Trial! New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL and PROFESSIONAL TL software. Fast, reliable vulnerability assessment technology powered by the award-winning FoundScan engine. Try it free for 21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825 ----------------------------------------------------------------------------
- Previous message: Stack Buffer: "Firewall Penetration Testing"
- Maybe in reply to: thomasng_at_bigfella.is-a-geek.net: "mapping vulnerabilities into high medium low risk"
- Next in thread: Robert E. Lee: "RE: mapping vulnerabilities into high medium low risk"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
