| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 27 Feb 2009 08:03:46 -0600 From: "J. Oquendo" <sil@...iltrated.net> To: Thierry Zoller <Thierry@...ler.lu> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Apple Safari ... DoS Vulnerability On Fri, 27 Feb 2009, Thierry Zoller wrote: > > If we want to arrive at a state where risk can be managed, it needs > to be measured. And if we aren't that far in 2009 I pity us all. One of the most difficult tasks in risk management has always been the measurement factorability. Many books have been published, almost all give differing points of view on quantitative, qualitative, "theoretical" postures and we can continue to puke on the math. Security metrics (which happens to be an excellent book) is probably one of the most insane topics with regards to security management. We can never get to a degree of real world numbers because everyone's view will be different. So let's place this Safari bug for example as a high impact and use CVSS as a guide: AV:N/AC:L/Au:N/C:C/I:C/A:C CVSS Base Score 10 Impact Subscore 10 Exploitability Subscore 10 CVSS Temporal Score 9 CVSS Environmental Score 9.4 Modified Impact Subscore 10 Overall CVSS Score 9.4 Now how can I place this into the equation of my current infrastructure's security posture? No one here uses a MAC let alone Safari for Windows so technically this doesn't affect me. However, from time to time, we may have a vendor come in, get thrown on a network after connecting to a NAC device, at that instance should I revamp the numbers? Surely I'm placed at risk. It's easy to say "if we aren't that far in X" hell we aren't far enough to have IPv6 fully deployed after so many years let alone for the security community to be able to come up with a definitive risk metric scale. The problem is, who is doing the math - compounded by terms like "risk appetite" and fuzzy math tricksters. "Risk Appetite" sorry my stomach is full. It's a horrendous concept. Pick your poisonous organization, ISACA, ISC2, OGC. They will all give you a methodology into measurement practices and almost certainly all can be tweaked like a magician with a slight of hand to make the most extreme exploit look harmless and the most harmless look extreme. By the way, I'm now selling a Risk Management and Scoring tool for $19.99 that will allow you to enter a program and define what you think the risk is. The program will allow you to pick your target: CIO, CEO, CSO. It will then go out and create a custom chart to maximize your budgetary request or downplay a potential threat. What's going on Thierry, Mike. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "Enough research will tend to support your conclusions." - Arthur Bloch "A conclusion is the place where you got tired of thinking" - Arthur Bloch 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists