RE: assessing IIS 5.0

From: Butler, Theodore (Theodore.Butler@EssexCorp.com)
Date: Tue Sep 05 2006 - 12:01:14 EDT

• Next message: Paolo Scarabelli: "Re: Windows Independant GUI"
• Previous message: Donald: "New pharmacy, best deals!"
• Maybe in reply to: vijay shetti: "assessing IIS 5.0"
• Next in thread: Robert E. Lee: "Re: assessing IIS 5.0"
• Reply: Robert E. Lee: "Re: assessing IIS 5.0"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Vijay,

The risk will be determined by the threat, and value of the associated
asset (web server and its content) coupled with its vulnerability. Risk
= Threat x Vulnerability (likelihood of threat's success) x Cost(Value
to replace). The vulnerability is only one part and only you know the
other 2 aspects.

You need to answer some questions like:

Is the web server in a DMZ, Honeypot, secured portion of the network?
These items help determine the threat level.

Vulnerability is heavily determined by degree of exposure and its
frequency (Is this always the case?)

Cost is influenced by impact. If the web server is compromised will
business shut down or simply inconvenience everyone. How sensitive is
the data (salaries, trade secrets, or simply inventory.

My suggestion is to gather all these elements to compute the risk and of
course test to validate your findings.

Ted B, CISSP

-----Original Message-----
From: vijay shetti [mailto:vijay.shetti@gmail.com]
Sent: Monday, September 04, 2006 3:59 AM
To: pen-test@securityfocus.com
Subject: assessing IIS 5.0

Hello all!!

During web assessment of one our clients I came to know that IIS 5.0
has internal IP address disclosure vuln...
But what to do next?What rank should i give it ,is it a medium risk or
low risk.

regards,
Vijay

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

• Next message: Paolo Scarabelli: "Re: Windows Independant GUI"
• Previous message: Donald: "New pharmacy, best deals!"
• Maybe in reply to: vijay shetti: "assessing IIS 5.0"
• Next in thread: Robert E. Lee: "Re: assessing IIS 5.0"
• Reply: Robert E. Lee: "Re: assessing IIS 5.0"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:54 EDT