RE: mapping vulnerabilities into high medium low risk

From: Stamford, Mark (mstamford_at_kpmg.com)
Date: 09/17/03

  • Next message: Michelangelo Sidagni: "Brute-forcing Dial-up password after war-dial" 
    To: "'Shackleford, Dave'" <znz1@cdc.gov>, "'thomasng@bigfella.is-a-geek.net'" <thomasng@bigfella.is-a-geek.net>, pen-test@securityfocus.com
Date: Wed, 17 Sep 2003 17:43:28 -0400

    Do these take account of factors other then just "It's a blank password,
    therefore it's a high"?

    I'm thinking that in order to really rate the vulnerability as H,M,L you
    need to take into account the risks to the system, its criticality to the
    organization, etc.... is there anything like this out there??? This also has
    the added advantage that if you rate the vulnerabilities in this way its
    easier (hopefully) to have people take notice.

    -Mark

    Mark Stamford, CISSP
    KPMG LLP Information Risk Management
    345 Park Avenue
    New York, NY 10154-0102

    -----Original Message-----
    From: Shackleford, Dave [mailto:znz1@cdc.gov]
    Sent: Wednesday, September 17, 2003 2:41 PM
    To: 'thomasng@bigfella.is-a-geek.net'; pen-test@securityfocus.com
    Subject: RE: mapping vulnerabilities into high medium low risk

    Although it isn't as cut and dry as "See this? It's an H!" etc., these
    templates may give you some guidelines:

    http://www.sans.org/score/

    --Dave
    Dave Shackleford
    --------------------------------------------------
    Technical Lead - NCCDPHP/OIIRM
    (770)488-5816
    znz1@cdc.gov

    -----Original Message-----
    From: thomasng@bigfella.is-a-geek.net
    [mailto:thomasng@bigfella.is-a-geek.net]
    Sent: Wednesday, September 17, 2003 4:10 AM
    To: pen-test@securityfocus.com
    Subject: mapping vulnerabilities into high medium low risk

    Hi,

    Anyone know any open source methodology about categorizing
    vulnerabilities? When doing a Pent Test, I need to categorize a particular
    vulnerability into high medium or low risk. These vulnerabilities may be a
    web application vulnerability or may be a new system vuln that has yet to
    be discovered. So is there any open source methodology that give you a
    guide to how to categorize the vuln?

     

    Rgds

    Thomas

    ---------------------------------------------------------------------------
    FREE Trial!
    New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL
    and PROFESSIONAL TL software. Fast, reliable vulnerability assessment
    technology powered by the award-winning FoundScan engine. Try it free for
    21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    FREE Trial!
    New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL
    and PROFESSIONAL TL software. Fast, reliable vulnerability assessment
    technology powered by the award-winning FoundScan engine. Try it free for
    21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
    ----------------------------------------------------------------------------

    *****************************************************************************
    The information in this email is confidential and may be legally privileged.
    It is intended solely for the addressee. Access to this email by anyone else
    is unauthorized.

    If you are not the intended recipient, any disclosure, copying, distribution
    or any action taken or omitted to be taken in reliance on it, is prohibited
    and may be unlawful. When addressed to our clients any opinions or advice
    contained in this email are subject to the terms and conditions expressed in
    the governing KPMG client engagement letter.
    *****************************************************************************

    ---------------------------------------------------------------------------
    FREE Trial!
    New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL
    and PROFESSIONAL TL software. Fast, reliable vulnerability assessment
    technology powered by the award-winning FoundScan engine. Try it free for 21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
    ----------------------------------------------------------------------------

  • Next message: Michelangelo Sidagni: "Brute-forcing Dial-up password after war-dial"

    Relevant Pages

    • RE: mapping vulnerabilities into high medium low risk
      ... I need to categorize a particular ... vulnerability into high medium or low risk. ... New for security consultants and in-house pros: ... technology powered by the award-winning FoundScan engine. ...
      (Pen-Test)
    • RE: mapping vulnerabilities into high medium low risk
      ... A vulnerability is "medium severity" if: ... control over a system but instead gives the attacker knowledge that may help ... technology powered by the award-winning FoundScan engine. ...
      (Pen-Test)
    • mapping vulnerabilities into high medium low risk
      ... Anyone know any open source methodology about categorizing ... I need to categorize a particular ... vulnerability into high medium or low risk. ... technology powered by the award-winning FoundScan engine. ...
      (Pen-Test)
    • [VULNERABILITY] PHP poster version.two
      ... This is my first time posting a vulnerability since most of my private ... If a user has their account type set to 'normal' by the administrator, ... Where James has an administrator account, and Jack doesn't. ...
      (Bugtraq)
    • [VulnWatch] Vulnerability in poster version.two
      ... This is my first time posting a vulnerability since most of my private ... If a user has their account type set to 'normal' by the administrator, ... Where James has an administrator account, and Jack doesn't. ...
      (VulnWatch)