Full Disclosure mailing list archives
Re: Apple Safari ... DoS Vulnerability
From: "J. Oquendo" <sil () infiltrated net>
Date: Fri, 27 Feb 2009 08:03:46 -0600
On Fri, 27 Feb 2009, Thierry Zoller wrote:
If we want to arrive at a state where risk can be managed, it needs to be measured. And if we aren't that far in 2009 I pity us all.
One of the most difficult tasks in risk management has always been the measurement factorability. Many books have been published, almost all give differing points of view on quantitative, qualitative, "theoretical" postures and we can continue to puke on the math. Security metrics (which happens to be an excellent book) is probably one of the most insane topics with regards to security management. We can never get to a degree of real world numbers because everyone's view will be different. So let's place this Safari bug for example as a high impact and use CVSS as a guide: AV:N/AC:L/Au:N/C:C/I:C/A:C CVSS Base Score 10 Impact Subscore 10 Exploitability Subscore 10 CVSS Temporal Score 9 CVSS Environmental Score 9.4 Modified Impact Subscore 10 Overall CVSS Score 9.4 Now how can I place this into the equation of my current infrastructure's security posture? No one here uses a MAC let alone Safari for Windows so technically this doesn't affect me. However, from time to time, we may have a vendor come in, get thrown on a network after connecting to a NAC device, at that instance should I revamp the numbers? Surely I'm placed at risk. It's easy to say "if we aren't that far in X" hell we aren't far enough to have IPv6 fully deployed after so many years let alone for the security community to be able to come up with a definitive risk metric scale. The problem is, who is doing the math - compounded by terms like "risk appetite" and fuzzy math tricksters. "Risk Appetite" sorry my stomach is full. It's a horrendous concept. Pick your poisonous organization, ISACA, ISC2, OGC. They will all give you a methodology into measurement practices and almost certainly all can be tweaked like a magician with a slight of hand to make the most extreme exploit look harmless and the most harmless look extreme. By the way, I'm now selling a Risk Management and Scoring tool for $19.99 that will allow you to enter a program and define what you think the risk is. The program will allow you to pick your target: CIO, CEO, CSO. It will then go out and create a custom chart to maximize your budgetary request or downplay a potential threat. What's going on Thierry, Mike. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "Enough research will tend to support your conclusions." - Arthur Bloch "A conclusion is the place where you got tired of thinking" - Arthur Bloch 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Apple Safari ... DoS Vulnerability Michael Krymson (Feb 26)
- Re: Apple Safari ... DoS Vulnerability Thierry Zoller (Feb 26)
- Re: Apple Safari ... DoS Vulnerability Michal Zalewski (Feb 26)
- <Possible follow-ups>
- Re: Apple Safari ... DoS Vulnerability Thierry Zoller (Feb 27)
- Re: Apple Safari ... DoS Vulnerability J. Oquendo (Feb 27)
- Re: Apple Safari ... DoS Vulnerability Michal Zalewski (Feb 27)
- Re: Apple Safari ... DoS Vulnerability Jeremy Brown (Feb 27)
- Re: Apple Safari ... DoS Vulnerability Valdis . Kletnieks (Feb 27)
- Re: Apple Safari ... DoS Vulnerability Michal Zalewski (Feb 27)
- Re: Apple Safari ... DoS Vulnerability J. Oquendo (Feb 27)