From: Michael Gargiullo (mgargiullo@pvtpt.com)
Date: Wed Nov 02 2005 - 10:49:31 EST
I agree with Marc completely.
Only the company can give you those numbers. It's management's job to
determine what their assets are, and costs involved if they loose those
assets.
You, as the Pen Tester, cannot determine what the value of a certain
machine or service is to the company.
You can however, tell them what the low hanging fruit is, and take a
best guess as to what their "Crown Jewels" are. So you'd go for the SQL
server, and the Active Directory, and the Radius Server, etc...
As for explaining difficulty, if you have in depth knowledge of how the
vulnerability works, and if an exploit is in the wild (proof of concepts
count), you can state explicitly "At this moment in time, this is
difficult to exploit, but that could change tomorrow". Remember,
Vulnerability scans and pen tests are a snapshot (A moment in time).
Networks change, some change yearly, some change monthly, and some
networks change hourly.
-Mike
-----Original Message-----
From: Marc Heuse [mailto:Marc.Heuse@nruns.com]
Sent: Tuesday, November 01, 2005 3:22 AM
To: 'RSMC'; pen-test@securityfocus.com
Subject: RE: Risk metrics
Hi,
if there would be standard metrics, they would have been in the guide
:-)
to be serious: in risk management there are standard metrics.
the most used one is to determine Likelyhood and Impact of a risk.
These are then described as low/medium/high (or very low, low, medium,
high,
criticak; or ... well you get the picture). Or you put values in there,
e.g. liklyhood that it happens once a year is 20%, impact would be
$10k. This is then called Expected Anual Loss, or Anual Loss Expectancy.
And then there is CRAMM (british standard) which uses values from 1-10
for these.
Basically it is very hard to use likelyhood and impact in a pentest
report.
Who can convince everyone that the liklyhood of exploition of a weak
password
is xx%? It just doesnt work. Then the impact - if you are not working
within
the company for whom you are performing the pentest, it is very, very
hard
to have an idea of the costs.
So for pentesting - especially when providing pentest services - other
metrics are needed. But there are no standards for that.
>From my philosophy and experience there are just a few metrics helpful:
criticality of a vulnerability (metric like 1: unharmful information
gathering to 10: remote control of a complete network/infrastructure),
and level of exposure (e.g. 1: controlled keyboard access only,
10: Internet connection without filtering).
Some customers also want to know the difficulty level to exploit or
knowledge level required by the attacker (e.g. 1: needs to be able
to move a mouse, 10: strong reverse engineering, assembler coding,
machine level knowledge on several platforms etc. required). But this
is a trap - if there is a tool or exploit which you dont know, or is
released some days/weeks later, the difficulty drops - but nobody will
update a table in a report in return.
Cheers,
Marc
====================================================================
Marc Heuse
n.runs GmbH
Mobile Phone: +49-160-98925941
Key fingerprint = AE3F CDC0 8C7B 8797 BEAC 4BF8 EC8F E64B 0A84 EA10
====================================================================
-----Original Message-----
From: RSMC [mailto:smcsoc@yahoo.es]
Sent: Montag, 31. Oktober 2005 14:57
To: pen-test@securityfocus.com
Subject: Risk metrics
Hi,
As OSSTMM states, "Reports must use only qualitative
metrics for gauging risks based on industry accepted
methods".
What metrics are more suitable to use in pen-testing
services?
Thanks in advance,
Rafael San Miguel Carrasco
------------------------------------------------------------------------
------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on
your
website. Up to 75% of cyber attacks are launched on shopping carts,
forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers
are
futile against web application hacking. Check your website for
vulnerabilities
to SQL injection, Cross site scripting and other web attacks before
hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
------------------------------------------------------------------------
-------
------------------------------------------------------------------------
------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on
your
website. Up to 75% of cyber attacks are launched on shopping carts,
forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers
are
futile against web application hacking. Check your website for
vulnerabilities
to SQL injection, Cross site scripting and other web attacks before
hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
------------------------------------------------------------------------
-------
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:07 EDT