Penetration Testing mailing list archives
Re: Level of Exploitation
From: "Matthew Zimmerman" <mzimmerman () gmail com>
Date: Thu, 4 Dec 2008 09:12:21 -0500
On Wed, Dec 3, 2008 at 2:59 PM, Adriel T. Desautels <ad_lists () netragard com> wrote:
What level of access were you able to gain with SQL Injection?
Yah, and where? ;) Seriously though, since your client is the Federal Government, if we're talking about non-classified non-national-security systems, then they're going to be following NIST requirements. Look at NIST 800-30 [1] for guidance on how to apply risk ratings to vulnerabilities. I assume the "level of exploitation" is the amount of risk to the agency. And please don't rate items as "high" because it makes you look good to the executives. Rate them for what they're worth. Risks are in relation to the agency, not to the system. (Meaning a system with a FIPS 199 risk level of Moderate cannot possibly have a vulnerability that is a High risk to the agency.) [1] - http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf Matt Z ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Level of Exploitation pentestr (Dec 03)
- Re: Level of Exploitation Goni Sarakinov (Dec 03)
- Re: Level of Exploitation Adriel T. Desautels (Dec 05)
- Rogue Access Point Alerting Daniel Constantino (Dec 05)
- Re: Rogue Access Point Alerting Joshua Wright (Dec 05)
- Re: Rogue Access Point Alerting Robin Wood (Dec 05)
- Re: Level of Exploitation Adriel T. Desautels (Dec 03)
- Re: Level of Exploitation Matthew Zimmerman (Dec 05)
- Re: Level of Exploitation Adriel T. Desautels (Dec 05)
- RE: Level of Exploitation Shenk, Jerry A (Dec 05)
- Re: Level of Exploitation Anthony Cicalla (Dec 05)
- Re: Level of Exploitation gold flake (Dec 07)
- Re: Level of Exploitation Egon Braun (Dec 11)
- RE: Level of Exploitation GT GERONIMO, Frederick Joseph B. (Dec 11)
- Re: Level of Exploitation ArcSighter (Dec 12)
- Re: Level of Exploitation Egon Braun (Dec 12)
- Re: Level of Exploitation ArcSighter Elite (Dec 12)
- Re: Level of Exploitation Egon Braun (Dec 12)
- Re: Level of Exploitation Matthew Zimmerman (Dec 05)
- Re: Level of Exploitation Goni Sarakinov (Dec 03)