From: Rob J Meijer (rmeijer@xs4all.nl)
Date: Wed Sep 17 2003 - 17:47:44 EDT
On Wed, 17 Sep 2003 thomasng@bigfella.is-a-geek.net wrote:
> Hi,
>
> Anyone know any open source methodology about categorizing
> vulnerabilities? When doing a Pent Test, I need to categorize a particular
> vulnerability into high medium or low risk. These vulnerabilities may be a
> web application vulnerability or may be a new system vuln that has yet to
> be discovered. So is there any open source methodology that give you a
> guide to how to categorize the vuln?
>
Pen testing and risk assesment don't quite fit in the same category of
security issues, although that they could complement the other,
unfortunately this is not often done.
Within a risk assesment a vulnerability is a potential way from a hostile
party to an asset.
Without deep knowledge of the behaviour of hostile parties, their interest
in the assets, and the cost and worth assosiated with such a party accesing
the asset, or creating the loss of (access to) such an asset, knowledge
about the vulnerability itself gained within the pen-test is only a small
amounth of the knowledge needed to come to a usable result.
Further risk is a multi dimensional stochastic variable, so the high
medium low clasification will not be of much use. Clasifying risk
into a small set of classes might not always be as simple as you might at
first think.You should at least use the a minimum of two dimensions,
cost and probability when clasifying risk into such small sets of classes.
This means you get in your case nine classes of risk:
1) Low probability/Low cost
2) Low probability/Med cost
3) Low probability/High cost
4) Med probability/Low cost
5) Med probability/Med cost
6) Med probability/High cost
7) High probability/Low cost
8) High probability/Med cost
9) High probability/High cost
This remains however still a rather crude clasification with limited use.
You must accept that risk assesment is not just a nice 'add-on' to
a pen test, it is at least an equally as big field of security as
is pen testing, if not bigger.
With pen-testing being quite a different class of security than risk
assesment, and finding people with both skills will proof mostly
impossible, combining these two becomes more of a communication problem,
getting pen testers and risk assesment folks to talk, and more important
to understand a bit about the others mindframe, in order to get some
information flowing between the two.
I am currently working on a document about using risk assesment for
incident pollicy creation and automated incident pollicy enforcement,
and have found that working on overlap between security subfields, that
the amounth of people willing or able to look beyond the scope of their
particular subfield of security is aparently rather small.
Often and sadly the organisation of companies is such that risk assesment
people and incident response people don't even know of each other they exist
within their company, and I fear the same will possibly go for
pen-testing.
I am however sure that the combination of fields is indeed required to
come to results that are actually usable. This in fact is my reason for
writing that particular document.
---------------------------------------------------------------------------
FREE Trial!
New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL
and PROFESSIONAL TL software. Fast, reliable vulnerability assessment
technology powered by the award-winning FoundScan engine. Try it free for 21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:40 EDT