Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Nessus Risk Rating Discussion Part Deux

from [Paul Johnston] Network Security [Permanent Link]
Subject: Re: Nessus Risk Rating Discussion Part Deux
Date: Mon, 21 Feb 2005 15:26:28 +0000 
Hi,

True. These are details which should be accounted for. I use a
ranking model that relates default versus non-default
configurations as part of likelihood (along w/ known or unknown
exploit/POC).

Ok, I'd be interested to know more about your model and how you developed it. If the risk rating is lessened to account for "default config not exploitable", how does this hold up when a vul scan demonstrates an exploitable configuration is in use?

Other ones to think about would be remote versus
local, user account needed versus anonymous/no account, etc. There
will always be vulnerabilities that are hard to describe. This is
not trying to create a taxonomy for vulnerabilities; this is
trying to detail the risks a bit more. A bit more IMO would be
better than what's going on now.


Wise words... it is easy to get carried away on such discussions. So, lets think about what structured information we'd want for each plugin:

Impact
Confidentiality/Integrity/Availability??
With this, both "server type & version" and "directory traversal" would be "confidentiality", probably not granular enough. And what about SQL injection? It's impractical to tell if this affects integrity without doing a manual audit. Something different probably required.

Class of Attacker
0 (anyone) -> 10 (NSA only)

Difficulty of attack
Requires:
users to be dumb? (e.g. phishing)
user interaction? (e.g. XSS)
credentials?
many attempts before success? (e.g. brute forcing return address)
This one is very hard to get a handle on!

If you don't like Nessus's rating, then roll your
own! That should keep discussions down to better logic :)


Not sure that's particularly constructive, but anyway...

you can put the value in relating the objective issues (likelihood
= remote; non-default configuration; no known exploit -- produces =
arbitrary access to the root account) to a company's subjective
setup (Low/Medium/High/Whatevr risk because blah blah blah). I
can't think of an automated tool that does that right now, knowing


I think FoundStone has a quantitative/automated way of doing this. Perhaps you could get an eval license to take a look?

Regards,

Paul

--
Paul Johnston, GSEC
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul@westpoint.ltd.uk
web: www.westpoint.ltd.uk

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  find_service.nes hanging on 2.2.3 linux, Matthew Romanek
Next by Date:  Re: Nessus Risk Rating Discussion Part Deux, Jon Passki
Previous by Thread:  Re: Nessus Risk Rating Discussion Part Deux, Jon Passki
Next by Thread:  Re: Nessus Risk Rating Discussion Part Deux, Jon Passki
Indexes:  [Date] [Thread] [Top] [All Lists]