Re: assessing IIS 5.0

From: Robert E. Lee (robert@outpost24.com)
Date: Tue Sep 05 2006 - 14:42:30 EDT

• Next message: Isaac Van Name: "RE: Windows Independant GUI"
• Previous message: s-williams@nyc.rr.com: "Re: Windows Independant GUI"
• In reply to: Butler, Theodore: "RE: assessing IIS 5.0"
• Next in thread: pratiksha.doshi@niiconsulting.com: "Re: assessing IIS 5.0"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Tue, 5 Sep 2006 12:01:14 -0400
"Butler, Theodore" <Theodore.Butler@EssexCorp.com> wrote:

> The risk will be determined by the threat, and value of the associated
> asset (web server and its content) coupled with its vulnerability. Risk
> = Threat x Vulnerability (likelihood of threat's success) x Cost(Value
> to replace). The vulnerability is only one part and only you know the
> other 2 aspects.

Vijay,

Unfortunately, that calculation isn't possible for a third party to calculate and use in a vulnerability report. In reports, you will have an easier time if you just clearly state the category of the problem and the consequence of the problem. In this case, IIS revealing the internal IP address is a "systems configuration information disclosure, affecting Confidentiality".

Without understanding the security policy of the system being evaluated (IE, not provided, doesn't exist, etc), trying to assign a risk value/rating is presumptuous and baseless if not clearly defined in your report. If they don't give you a policy, then you should define your terms in your report so the reader can understand your logic behind assigning the value.

For example, if you were evaluating the system for PCI/SDP, they place a level 5 (Urgent) value to vulnerabilities affecting CIA system wide, level 4 (Critical) value to vulnerabilities affecting C system wide, or if sensitive content is being leaked (without defining sensitive), level 3 (Critical) value to vulnerabilities partial C of files or of security configuration information, availability issues, and other misc policy violations (such as being able to relay mail), level 2 (Medium) C related to non-security systems configuration information (IP addresses, server version information, etc), and level 1 (Low) to C related to open ports. --

If the system audited is held to PCI/SDP policy standards this finding could be a Level 2 (Medium) finding.

Best of luck,

Robert

-- 
Robert E. Lee
Chief Security Officer
http://www.outpost24.com
 
phone: +46-(0)455-612-320
fax  : +46-(0)455-13960
email: robert@outpost24.com
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

• Next message: Isaac Van Name: "RE: Windows Independant GUI"
• Previous message: s-williams@nyc.rr.com: "Re: Windows Independant GUI"
• In reply to: Butler, Theodore: "RE: assessing IIS 5.0"
• Next in thread: pratiksha.doshi@niiconsulting.com: "Re: assessing IIS 5.0"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:54 EDT