Re: mapping vulnerabilities into high medium low risk

From: thomasng@bigfella.is-a-geek.net
Date: Wed Sep 17 2003 - 22:22:25 EDT


Hi All,
Thanks for all your help.
>From the responses, I guess there alot of overlap of pen-test and risk
assessment than I thought. I agree that alot of times, you have to
consider the cost of the compromised information to the customer. However,
from a technical point of view of a PT, the risk is the same of a root
exploit present in a system without production data compare to a system
with production data.

It is currently my believe that it is the PT Team's job to highlight all
vulnerabilities discovered and place a value to the technical possibility
of an attack utilising that vuln. Also place a technical cost (whether
remote attack possible, whether shell possible, etc) to the vuln. Let's
call this value "technical risk" out of lack of a better name.

The "technical risk" should be without consideration to the cost that the
company
believes the data is worth within the system. After putting these on
paper, have another column of "revised risk" for each vuln. This column
will then be discussed with the management to come out with the final
revised risk.

Arrhh.... I just looked through the SP800-30 by NIST. Section 3.7.1
Risk-Level Matrix. I guess my "technical risk" will be the result of the
risk-level matrix. This should be the same regardless of which site I PT.
Then followed by another level of discussion with the management to come
out with a "revised risk".

I find that this may be a better approach instead of factoring the cost of
the system at the begining because many times, the customers comes back
disagreeing with you on the final result. This is because they have to
report to higher management and will look bad if they have alot of high
risks. So we protect outselves by stating the techical risk and there will
be less argument when it comes to the revised risk. Ultimately, the
customers will have to justify to higher management on why they alter the
result in the revised risk... not the PT Team.

Thanks once again for all your help.

Thomas

---------------------------------------------------------------------------
FREE Trial!
New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL
and PROFESSIONAL TL software. Fast, reliable vulnerability assessment
technology powered by the award-winning FoundScan engine. Try it free for 21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:40 EDT