Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Level of Exploitation

From: "Matthew Zimmerman" <mzimmerman () gmail com>
Date: Thu, 4 Dec 2008 09:12:21 -0500
On Wed, Dec 3, 2008 at 2:59 PM, Adriel T. Desautels
<ad_lists () netragard com> wrote:

What level of access were you able to gain with SQL Injection?


Yah, and where? ;)

Seriously though, since your client is the Federal Government, if
we're talking about non-classified non-national-security systems, then
they're going to be following NIST requirements.  Look at NIST 800-30
[1] for guidance on how to apply risk ratings to vulnerabilities.  I
assume the "level of exploitation" is the amount of risk to the
agency.

And please don't rate items as "high" because it makes you look good
to the executives.  Rate them for what they're worth.  Risks are in
relation to the agency, not to the system.  (Meaning a system with a
FIPS 199 risk level of Moderate cannot possibly have a vulnerability
that is a High risk to the agency.)

[1] - http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

Matt Z

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: