lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20090227140346.GA80587@infiltrated.net>
Date: Fri, 27 Feb 2009 08:03:46 -0600
From: "J. Oquendo" <sil@...iltrated.net>
To: Thierry Zoller <Thierry@...ler.lu>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Apple Safari ... DoS Vulnerability

On Fri, 27 Feb 2009, Thierry Zoller wrote:

> 
> If we want to arrive at a state where risk can be managed, it needs
> to be measured. And if we aren't that far in 2009 I pity us all.

One of the most difficult tasks in risk management has always
been the measurement factorability. Many books have been published,
almost all give differing points of view on quantitative, qualitative,
"theoretical" postures and we can continue to puke on the math.

Security metrics (which happens to be an excellent book) is
probably one of the most insane topics with regards to security
management. We can never get to a degree of real world numbers
because everyone's view will be different. So let's place this
Safari bug for example as a high impact and use CVSS as a guide:

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Base Score	10
Impact Subscore	10
Exploitability Subscore 10
CVSS Temporal Score 9
CVSS Environmental Score 9.4
Modified Impact Subscore 10
Overall CVSS Score 9.4

Now how can I place this into the equation of my current
infrastructure's security posture? No one here uses a MAC
let alone Safari for Windows so technically this doesn't
affect me. However, from time to time, we may have a vendor
come in, get thrown on a network after connecting to a NAC
device, at that instance should I revamp the numbers? Surely
I'm placed at risk.

It's easy to say "if we aren't that far in X" hell we aren't
far enough to have IPv6 fully deployed after so many years
let alone for the security community to be able to come up
with a definitive risk metric scale. The problem is, who
is doing the math - compounded by terms like "risk appetite"
and fuzzy math tricksters. "Risk Appetite" sorry my stomach
is full. It's a horrendous concept.

Pick your poisonous organization, ISACA, ISC2, OGC. They
will all give you a methodology into measurement practices
and almost certainly all can be tweaked like a magician
with a slight of hand to make the most extreme exploit look
harmless and the most harmless look extreme.

By the way, I'm now selling a Risk Management and Scoring
tool for $19.99 that will allow you to enter a program and
define what you think the risk is. The program will allow
you to pick your target: CIO, CEO, CSO. It will then go
out and create a custom chart to maximize your budgetary
request or downplay a potential threat.

What's going on Thierry, Mike.


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP

"Enough research will tend to support your
conclusions." - Arthur Bloch

"A conclusion is the place where you got
tired of thinking" - Arthur Bloch

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ