Re: Level of Exploitation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

GT GERONIMO, Frederick Joseph B. wrote:
I guess what Egon is saying is that an Auditor would need to know first
the classification of data, and what importance the company gives to
each classification of data. Definitely, data that are most important
(ex. Top Secret, Confidential, etc.) should have more protection,
therefore, any vulnerabilities that would leave those data would most
likely have a High Risk rating. But, for some companies, risk is
computed for, with likelihood as one factor, which may lower the risk
rating of a vulnerability (ex. Calamity that destroys two redundant
sites).

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Egon Braun
Sent: Thursday, December 11, 2008 8:43 PM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Re: Level of Exploitation

I have learned with experience that
what makes a flaw in a computer environment a HIG PRIORITY FLAW is the
one that compromises the INFORMATION, not the server.

Servers can always be replaced, reconfigured, updated and so one. You
can always (in a last
option) to unplug it.

However, is the information that we from the security area should be
focused on.

What is more important for General Motors?
To have one dept. without internet because a DoS attack or to have its
new cars drawing stolen be a cracker?

I consider HIGH, just the flaw that could give access to the information
of the company, the others are always MEDIUM or LOW.

Of course, this tip does not apply to every case.
For example, in a shopping mall plublic internet area, the HIG PRIORITY
is to have the internet access ALWAYS ON. There is no information to be
secured.

And we have lots of other cases ...

The best is to feel the company and think about what is the "tresure" of
the client, and try to protect best it.

We from IT like to protect servers because we love computers, but often
the problem is not in the servers but within people, policies, etc.
--
Egon Braun <mundoalem@xxxxxxxxx>
--
Egon Braun <mundoalem@xxxxxxxxx>

This e-mail message (including attachments, if any) is intended for the use of the individual or the entity to whom it is addressed and may contain information that is privileged, proprietary, confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender and delete this E-mail message immediately.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


Besides pen-tester, once in time I was performing as network
administrator. I think the Auditor's job is to assess vulnerability
risk. not data risk. The company and its incident response team should
have established a politic that reflects all related with risk
assessment, politics, and incident response, the value of data,
downtime, etc. The auditor's job is to evaluate how a vulnerability
could compromise the security of the network and hosts, actually in your
terms: integrity of WHATEVER data the servers or workstations hold, not
to probe anything beyond that. And contrary to your thinkings,
pen-testers estimate the flaw only by its implications; for example, if
the external security could be circumvented and ANY workstation INSIDE
the internal LAN is compromised, that would be a HIGH PRIORITY
vulnerability, even in the case that the workstation only holds games;
that host could be used as a gateway or abused in it's trust
relationships to compromise other workstations/servers, those where the
information is actually valuable.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJQnYqH+KgkfcIQ8cRAgpGAJ9o73+MWccP6omufWhWE/XXQ9BcnwCgnbGD
57krALwOGlnpOLj/1pDgbvk=
=4wrb
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

Relevant Pages

  • Re: Risk Ranking...
    ... get his book The Tao of Network Security Monitoring. ... I had the same problem as you when I was trying to come up with some risk ... The vulnerability must be exploited locally. ... If a piece of malware is a blended threat (able to exploit multiple ...
    (Security-Basics)
  • Re: Risk metrics
    ... security management life cycle. ... more objective snapshot of a company's risk posture. ... > traditional risk metrics in pen-tests cannot be ... >> vulnerability works, and if an exploit is in the ...
    (Pen-Test)
  • Re: Spyware and RISC OS? Surely not?
    ... complacency might be placing you at increased risk. ... You have more than one bank account with more than one ... and appropriate to the vulnerability of the situation. ...
    (comp.sys.acorn.misc)
  • RE: Bank pen test
    ... The bank will be working to Risk. ... A vulnerability on an internal system is not always a large risk. ... If they want a pen test of only 20 servers there is no way to know if the ... the veteran Network Behavior Analysis ...
    (Pen-Test)
  • Re: [fw-wiz] Isolating internal servers behind firewalls
    ... Does every desktop require access to every server's file share port, ... If you have a/or several intranet IIS servers, ... If one thinks Windows file sharing is not risky, then I have no basis to argue the point any further. ... information at risk. ...
    (Firewall-Wizards)