RE: mapping vulnerabilities into high medium low risk

From: Earl Sammons (ESammons@technicacorp.com)
Date: Wed Sep 17 2003 - 11:35:28 EDT

• Next message: Combs, Christopher (Christopher): "RE: Firewall Penetration Testing"
• Previous message: Stack Buffer: "Firewall Penetration Testing"
• Maybe in reply to: thomasng@bigfella.is-a-geek.net: "mapping vulnerabilities into high medium low risk"
• Next in thread: Robert E. Lee: "RE: mapping vulnerabilities into high medium low risk"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

icat http://icat.nist.gov/icat.cfm (a CVE front-end) does it as described
below. I'm sure there are other/better/worse ways... just an example.

-Earl

A vulnerability is "high severity" if:
   1. it allows a remote attacker to violate the security protection of a
system (i.e. gain some sort of user or root account),
   2. it allows a local attack that gains complete control of a system,
   3. it is important enough to have an associated CERT/CC advisory.
A vulnerability is "medium severity" if:
   1. it does not meet the definition of either "high" or "low" severity.
A vulnerability is "low severity" if:
   1. the vulnerability does not typically yield valuable information or
control over a system but instead gives the attacker knowledge that may help
the attacker find and exploit other vulnerabilities.
   2. we feel that the vulnerability is inconsequential for most
organizations.

-----Original Message-----
From: thomasng@bigfella.is-a-geek.net
To: pen-test@securityfocus.com
Sent: 9/17/03 4:09 AM
Subject: mapping vulnerabilities into high medium low risk

Hi,

Anyone know any open source methodology about categorizing
vulnerabilities? When doing a Pent Test, I need to categorize a
particular
vulnerability into high medium or low risk. These vulnerabilities may be
a
web application vulnerability or may be a new system vuln that has yet
to
be discovered. So is there any open source methodology that give you a
guide to how to categorize the vuln?

Rgds

Thomas

------------------------------------------------------------------------

---
FREE Trial!
New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL 
and PROFESSIONAL TL software. Fast, reliable vulnerability assessment 
technology powered by the award-winning FoundScan engine. Try it free
for  21 days at:
http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
FREE Trial!
New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL 
and PROFESSIONAL TL software. Fast, reliable vulnerability assessment 
technology powered by the award-winning FoundScan engine. Try it free for  21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
----------------------------------------------------------------------------

• Next message: Combs, Christopher (Christopher): "RE: Firewall Penetration Testing"
• Previous message: Stack Buffer: "Firewall Penetration Testing"
• Maybe in reply to: thomasng@bigfella.is-a-geek.net: "mapping vulnerabilities into high medium low risk"
• Next in thread: Robert E. Lee: "RE: mapping vulnerabilities into high medium low risk"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:40 EDT