Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Level of Exploitation
From: ArcSighter <arcsighter () gmail com>
Date: Fri, 12 Dec 2008 09:33:14 -0500

Hash: SHA1

GT GERONIMO, Frederick Joseph B. wrote:
I guess what Egon is saying is that an Auditor would need to know first
the classification of data, and what importance the company gives to
each classification of data. Definitely, data that are most important
(ex. Top Secret, Confidential, etc.) should have more protection,
therefore, any vulnerabilities that would leave those data would most
likely have a High Risk rating. But, for some companies, risk is
computed for, with likelihood as one factor, which may lower the risk
rating of a vulnerability (ex. Calamity that destroys two redundant

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Egon Braun
Sent: Thursday, December 11, 2008 8:43 PM
To: pen-test () securityfocus com
Subject: Re: Level of Exploitation

I have learned with experience that
what makes a flaw in a computer environment a HIG PRIORITY FLAW is the
one that compromises the INFORMATION, not the server.

Servers can always be replaced, reconfigured, updated and so one. You
can always (in a last
option) to unplug it.

However, is the information that we from the security area should be
focused on.

What is more important for General Motors?
To have one dept. without internet because a DoS attack or to have its
new cars drawing stolen be a cracker?

I consider HIGH, just the flaw that could give access to the information
of the company, the others are always MEDIUM or LOW.

Of course, this tip does not apply to every case.
For example, in a shopping mall plublic internet area, the HIG PRIORITY
is to have the internet access ALWAYS ON. There is no information to be

And we have lots of other cases ...

The best is to feel the company and think about what is the "tresure" of
the client, and try to protect best it.

We from IT like to protect servers because we love computers, but often
the problem is not in the servers but within people, policies, etc.
Egon Braun <mundoalem () gmail com>
Egon Braun <mundoalem () gmail com>

This e-mail message (including attachments, if any) is intended for the use of the individual or the entity to whom 
it is addressed and may contain information that is privileged, proprietary, confidential and exempt from disclosure. 
If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication in error, please notify the sender and 
delete this E-mail message immediately.

This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now


Besides pen-tester, once in time I was performing as network
administrator. I think the Auditor's job is to assess vulnerability
risk. not data risk. The company and its incident response team should
have established a politic that reflects all related with risk
assessment, politics, and incident response, the value of data,
downtime, etc. The auditor's job is to evaluate how a vulnerability
could compromise the security of the network and hosts, actually in your
terms: integrity of WHATEVER data the servers or workstations hold, not
to probe anything beyond that. And contrary to your thinkings,
pen-testers estimate the flaw only by its implications; for example, if
the external security could be circumvented and ANY workstation INSIDE
the internal LAN is compromised, that would be a HIGH PRIORITY
vulnerability, even in the case that the workstation only holds games;
that host could be used as a gateway or abused in it's trust
relationships to compromise other workstations/servers, those where the
information is actually valuable.

Version: GnuPG v1.4.6 (GNU/Linux)


This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]