Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: assessing IIS 5.0
From: "Butler, Theodore" <Theodore.Butler () EssexCorp com>
Date: Tue, 5 Sep 2006 12:01:14 -0400

Vijay,

The risk will be determined by the threat, and value of the associated
asset (web server and its content) coupled with its vulnerability. Risk
= Threat x Vulnerability (likelihood of threat's success) x Cost(Value
to replace). The vulnerability is only one part and only you know the
other 2 aspects.


You need to answer some questions like:

Is the web server in a DMZ, Honeypot, secured portion of the network?
These items help determine the threat level.

Vulnerability is heavily determined by degree of exposure and its
frequency (Is this always the case?)

Cost is influenced by impact.  If the web server is compromised will
business shut down or simply inconvenience everyone.  How sensitive is
the data (salaries, trade secrets, or simply inventory.

My suggestion is to gather all these elements to compute the risk and of
course test to validate your findings.

Ted B, CISSP


-----Original Message-----
From: vijay shetti [mailto:vijay.shetti () gmail com] 
Sent: Monday, September 04, 2006 3:59 AM
To: pen-test () securityfocus com
Subject: assessing IIS 5.0

Hello all!!

During web assessment of one our clients I came to know that IIS 5.0
has internal IP address disclosure vuln...
But what to do next?What rank should i give it ,is it a medium risk or
low risk.


regards,
Vijay

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]