Home page logo

pen-test logo Penetration Testing mailing list archives

RE: Level of Exploitation
From: "GT GERONIMO, Frederick Joseph B." <fbgeronimo () globetel com ph>
Date: Fri, 12 Dec 2008 10:44:37 +0800

I guess what Egon is saying is that an Auditor would need to know first
the classification of data, and what importance the company gives to
each classification of data. Definitely, data that are most important
(ex. Top Secret, Confidential, etc.) should have more protection,
therefore, any vulnerabilities that would leave those data would most
likely have a High Risk rating. But, for some companies, risk is
computed for, with likelihood as one factor, which may lower the risk
rating of a vulnerability (ex. Calamity that destroys two redundant

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Egon Braun
Sent: Thursday, December 11, 2008 8:43 PM
To: pen-test () securityfocus com
Subject: Re: Level of Exploitation

I have learned with experience that
what makes a flaw in a computer environment a HIG PRIORITY FLAW is the
one that compromises the INFORMATION, not the server.

Servers can always be replaced, reconfigured, updated and so one. You
can always (in a last
option) to unplug it.

However, is the information that we from the security area should be
focused on.

What is more important for General Motors?
To have one dept. without internet because a DoS attack or to have its
new cars drawing stolen be a cracker?

I consider HIGH, just the flaw that could give access to the information
of the company, the others are always MEDIUM or LOW.

Of course, this tip does not apply to every case.
For example, in a shopping mall plublic internet area, the HIG PRIORITY
is to have the internet access ALWAYS ON. There is no information to be

And we have lots of other cases ...

The best is to feel the company and think about what is the "tresure" of
the client, and try to protect best it.

We from IT like to protect servers because we love computers, but often
the problem is not in the servers but within people, policies, etc.
Egon Braun <mundoalem () gmail com>
Egon Braun <mundoalem () gmail com>

This e-mail message (including attachments, if any) is intended for the use of the individual or the entity to whom it 
is addressed and may contain information that is privileged, proprietary, confidential and exempt from disclosure. If 
you are not the intended recipient, you are notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication in error, please notify the sender and 
delete this E-mail message immediately.

This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]