Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Level of Exploitation
From: "Anthony Cicalla" <anthony.cicalla () gmail com>
Date: Fri, 5 Dec 2008 12:32:47 -0800

exploitable sql injection is severe or level 5 regarding pci compliance.

On Fri, Dec 5, 2008 at 11:19 AM, Shenk, Jerry A
<jshenk () decommunications com> wrote:
<soapbox mode>
I hate to "pile on" but this plea to avoid the "high" rating can't be
overstated.  I have seen a lot of reports that rated things as high that
didn't give up ANY information.  One gave a login prompt on a firewall a
high risk.  Digging into it, the username was some crazy 15 characters
or something and a decent password.  There's nothing "rating room" left
if they actually compromise a host.  It's the whole "boy who cried wolf"
story
</soapbox mode>

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Matthew Zimmerman
Sent: Thursday, December 04, 2008 9:12 AM
To: Adriel T. Desautels
Cc: pentestr; pen-test () securityfocus com
Subject: Re: Level of Exploitation

On Wed, Dec 3, 2008 at 2:59 PM, Adriel T. Desautels
<ad_lists () netragard com> wrote:
What level of access were you able to gain with SQL Injection?

Yah, and where? ;)

Seriously though, since your client is the Federal Government, if
we're talking about non-classified non-national-security systems, then
they're going to be following NIST requirements.  Look at NIST 800-30
[1] for guidance on how to apply risk ratings to vulnerabilities.  I
assume the "level of exploitation" is the amount of risk to the
agency.

And please don't rate items as "high" because it makes you look good
to the executives.  Rate them for what they're worth.  Risks are in
relation to the agency, not to the system.  (Meaning a system with a
FIPS 199 risk level of Moderate cannot possibly have a vulnerability
that is a High risk to the agency.)

[1] - http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

Matt Z

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which 
they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the 
intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the 
message. If you have received this communication in error, please notify the sender and delete this e-mail message. 
The contents do not represent the opinion of D&E except to the extent that it relates to their official business.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------





-- 
Anthony,

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault