[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20090227140346.GA80587@infiltrated.net>
Date: Fri, 27 Feb 2009 08:03:46 -0600
From: "J. Oquendo" <sil@...iltrated.net>
To: Thierry Zoller <Thierry@...ler.lu>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Apple Safari ... DoS Vulnerability
On Fri, 27 Feb 2009, Thierry Zoller wrote:
>
> If we want to arrive at a state where risk can be managed, it needs
> to be measured. And if we aren't that far in 2009 I pity us all.
One of the most difficult tasks in risk management has always
been the measurement factorability. Many books have been published,
almost all give differing points of view on quantitative, qualitative,
"theoretical" postures and we can continue to puke on the math.
Security metrics (which happens to be an excellent book) is
probably one of the most insane topics with regards to security
management. We can never get to a degree of real world numbers
because everyone's view will be different. So let's place this
Safari bug for example as a high impact and use CVSS as a guide:
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Base Score 10
Impact Subscore 10
Exploitability Subscore 10
CVSS Temporal Score 9
CVSS Environmental Score 9.4
Modified Impact Subscore 10
Overall CVSS Score 9.4
Now how can I place this into the equation of my current
infrastructure's security posture? No one here uses a MAC
let alone Safari for Windows so technically this doesn't
affect me. However, from time to time, we may have a vendor
come in, get thrown on a network after connecting to a NAC
device, at that instance should I revamp the numbers? Surely
I'm placed at risk.
It's easy to say "if we aren't that far in X" hell we aren't
far enough to have IPv6 fully deployed after so many years
let alone for the security community to be able to come up
with a definitive risk metric scale. The problem is, who
is doing the math - compounded by terms like "risk appetite"
and fuzzy math tricksters. "Risk Appetite" sorry my stomach
is full. It's a horrendous concept.
Pick your poisonous organization, ISACA, ISC2, OGC. They
will all give you a methodology into measurement practices
and almost certainly all can be tweaked like a magician
with a slight of hand to make the most extreme exploit look
harmless and the most harmless look extreme.
By the way, I'm now selling a Risk Management and Scoring
tool for $19.99 that will allow you to enter a program and
define what you think the risk is. The program will allow
you to pick your target: CIO, CEO, CSO. It will then go
out and create a custom chart to maximize your budgetary
request or downplay a potential threat.
What's going on Thierry, Mike.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP
"Enough research will tend to support your
conclusions." - Arthur Bloch
"A conclusion is the place where you got
tired of thinking" - Arthur Bloch
227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists