RE: mapping vulnerabilities into high medium low risk

From: Omar Herrera (oherrera@prodigy.net.mx)
Date: Wed Sep 17 2003 - 22:36:38 EDT


This is the best approach in my opinion; Let the client decide what is
high, medium or low for him, because, now matter how much we know about
security, clients will always know their business better.

Using a quantitative approach (time and financial loss components) might
be one way to help the client determine their vulnerability impact
levels, however, there are some complex organizations where a
qualitative approach might be better. Also, information is not the only
thing that could be analyzed; processes are usually taken into account
as well.

A qualitative classification might look like this:

HIGH - If the vulnerability could affect the whole organization (main
business process or information)
MEDIUM - If the vulnerability could affect supporting activities of
business or areas of the organization
LOW - If the vulnerability could affect individuals, including private
information and activities that are not necessarily related to business

You would guide your client on the security implications of each kind of
vulnerability, but he/she would still decide what goes where (involving
the client on these assessments increases accuracy... unless you perform
the pentest as part of some kind of audit, where their opinion might
impair the results)

You might still be facing lots of each type of vulnerabilities in each
level; in this case you might be as well add another dimension to
increase granularity, this is usually quantitative; for example:
probability of occurrence, financial loss, time required to recover ...

Omar Herrera
 

-----Original Message-----
From: Robert E. Lee [mailto:robert@dyadsecurity.com]
Sent: Miércoles, 17 de Septiembre de 2003 11:39 a.m.
To: pen-test@securityfocus.com
Subject: RE: mapping vulnerabilities into high medium low risk

> Anyone know any open source methodology about categorizing
> vulnerabilities? When doing a Pent Test, I need to categorize a
particular
> vulnerability into high medium or low risk. These vulnerabilities may
be a
> web application vulnerability or may be a new system vuln that has yet
to
> be discovered. So is there any open source methodology that give you a
> guide to how to categorize the vuln?
 
High/medium/low risk definitions in the documentation after a pen-test
tend to be subjective and change depending on the individual client.   A
way to classify vulnerabilities in a High/Medium/Low format is to first
understand the information criticality to the organization you are
testing, and then create consistent definitions that include time and
financial loss components. The definitions provide the context to
understand why it is a High/Medium/Low problem for that organization.
 
...

---------------------------------------------------------------------------
FREE Trial!
New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL
and PROFESSIONAL TL software. Fast, reliable vulnerability assessment
technology powered by the award-winning FoundScan engine. Try it free for 21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:40 EDT