From: Butler, Theodore (Theodore.Butler@EssexCorp.com)
Date: Tue Sep 05 2006 - 17:00:03 EDT
Vijay,
I thought you were doing a risk evaluation, not simply identifying
vulnerabilities. There is a difference. The methodology is the same
rather its payment cards, networks, or widgets: Threats, value and
vulnerabilities (and motivation of perpetrator) need to be accounted for
where possible to identify risk. It's assumed as a given that all this
is mapped against policy and requirements as a backdrop to give you a
reference. These items should be gathered during the information
gathering aspect of the assessment.
I agree it's presumptuous to assign risk without it being clearly
defined; however the argument here is that industry has already defined
it to be composed of the elements I've listed above. Therefore assigning
risk without attempting to account for environmental elements is
incomplete. That's the difference between doing vulnerability scans and
assessing risk. Risks accounts for the whole enchilada. This is what
makes the world so beautiful, free speech and differences of view.
Here's some specific information on the Internal IP address disclosure
vulnerability in IIS 4.0 and 5.0.
http://archive.cert.uni-stuttgart.de/archive/bugtraq/2001/08/msg00127.ht
ml
Peace,
Ted
-----Original Message-----
From: Robert E. Lee [mailto:robert@outpost24.com]
Sent: Tuesday, September 05, 2006 2:43 PM
To: Butler, Theodore
Cc: vijay.shetti@gmail.com; pen-test@securityfocus.com
Subject: Re: assessing IIS 5.0
On Tue, 5 Sep 2006 12:01:14 -0400
"Butler, Theodore" <Theodore.Butler@EssexCorp.com> wrote:
> The risk will be determined by the threat, and value of the associated
> asset (web server and its content) coupled with its vulnerability.
Risk
> = Threat x Vulnerability (likelihood of threat's success) x Cost(Value
> to replace). The vulnerability is only one part and only you know the
> other 2 aspects.
Vijay,
Unfortunately, that calculation isn't possible for a third party to
calculate and use in a vulnerability report. In reports, you will have
an easier time if you just clearly state the category of the problem and
the consequence of the problem. In this case, IIS revealing the
internal IP address is a "systems configuration information disclosure,
affecting Confidentiality".
Without understanding the security policy of the system being evaluated
(IE, not provided, doesn't exist, etc), trying to assign a risk
value/rating is presumptuous and baseless if not clearly defined in your
report. If they don't give you a policy, then you should define your
terms in your report so the reader can understand your logic behind
assigning the value.
For example, if you were evaluating the system for PCI/SDP, they place a
level 5 (Urgent) value to vulnerabilities affecting CIA system wide,
level 4 (Critical) value to vulnerabilities affecting C system wide, or
if sensitive content is being leaked (without defining sensitive), level
3 (Critical) value to vulnerabilities partial C of files or of security
configuration information, availability issues, and other misc policy
violations (such as being able to relay mail), level 2 (Medium) C
related to non-security systems configuration information (IP addresses,
server version information, etc), and level 1 (Low) to C related to open
ports. --
If the system audited is held to PCI/SDP policy standards this finding
could be a Level 2 (Medium) finding.
Best of luck,
Robert
-- Robert E. Lee Chief Security Officer http://www.outpost24.com phone: +46-(0)455-612-320 fax : +46-(0)455-13960 email: robert@outpost24.com ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:54 EDT