From: Marc Heuse (Marc.Heuse@nruns.com)
Date: Tue Nov 01 2005 - 03:22:06 EST
Hi,
if there would be standard metrics, they would have been in the guide :-)
to be serious: in risk management there are standard metrics.
the most used one is to determine Likelyhood and Impact of a risk.
These are then described as low/medium/high (or very low, low, medium, high,
criticak; or ... well you get the picture). Or you put values in there,
e.g. liklyhood that it happens once a year is 20%, impact would be
$10k. This is then called Expected Anual Loss, or Anual Loss Expectancy.
And then there is CRAMM (british standard) which uses values from 1-10 for these.
Basically it is very hard to use likelyhood and impact in a pentest report.
Who can convince everyone that the liklyhood of exploition of a weak password
is xx%? It just doesnt work. Then the impact - if you are not working within
the company for whom you are performing the pentest, it is very, very hard
to have an idea of the costs.
So for pentesting - especially when providing pentest services - other
metrics are needed. But there are no standards for that.
>From my philosophy and experience there are just a few metrics helpful:
criticality of a vulnerability (metric like 1: unharmful information
gathering to 10: remote control of a complete network/infrastructure),
and level of exposure (e.g. 1: controlled keyboard access only,
10: Internet connection without filtering).
Some customers also want to know the difficulty level to exploit or
knowledge level required by the attacker (e.g. 1: needs to be able
to move a mouse, 10: strong reverse engineering, assembler coding,
machine level knowledge on several platforms etc. required). But this
is a trap - if there is a tool or exploit which you dont know, or is
released some days/weeks later, the difficulty drops - but nobody will
update a table in a report in return.
Cheers,
Marc
====================================================================
Marc Heuse
n.runs GmbH
Mobile Phone: +49-160-98925941
Key fingerprint = AE3F CDC0 8C7B 8797 BEAC 4BF8 EC8F E64B 0A84 EA10
====================================================================
-----Original Message-----
From: RSMC [mailto:smcsoc@yahoo.es]
Sent: Montag, 31. Oktober 2005 14:57
To: pen-test@securityfocus.com
Subject: Risk metrics
Hi,
As OSSTMM states, "Reports must use only qualitative
metrics for gauging risks based on industry accepted
methods".
What metrics are more suitable to use in pen-testing
services?
Thanks in advance,
Rafael San Miguel Carrasco
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:07 EDT