HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 58 guests and 2 members online
EH-Net News Feeds
Latest Additions
 
Advertisement

You are here: Home arrow Forum arrow Ethical Hacking Discussions and Related Certificationsarrow Web Applicationsarrow Calculating risk POST assesment?
EH-Net
May 25, 2012, 07:20:23 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Advertise on EH-Net!! - Reasonable Rates, Highly Targeted Audience.
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Calculating risk POST assesment?  (Read 4653 times)
0 Members and 1 Guest are viewing this topic.
ethicalhack3r
Full Member
***
Offline Offline

Posts: 139


View Profile WWW
« on: March 12, 2010, 07:24:19 AM »
Hi,
This applies to both Network pen testing and web application assessments.

I was wondering if there had been any work done on calculating risk POST web app assessment or network pen testing?

There are a number of risks I can think of POST assessment:

0day vulnerabilities
Missed bugs due to time constraints
The skill/experience of the tester/s
Missed bugs due to tool/s not functioning as expected

Any help with this is much appreciated.

Thank you.
Logged
hayabusa
Hero Member
*****
Offline Offline

Posts: 1304



View Profile
« Reply #1 on: March 12, 2010, 07:31:11 AM »
I'm not sure if I've seen a study or data, specific to this.  But you're absolutely correct, with regards to the possibilities you could run into, POST assessment.

Tester's skill level, 0day's, time constraints, and even machines left out (intentionally or unintentionally) from the scope of the test are ALL items which could spring up.  Additionally, new services / servers / apps (web or not) are stood up at clients all the time, and folks make changes to their local machine configurations, etc.

While there's never going to be perfection in a penetration test, the key is finding and validating as much as possible, reliably, in the time permitted, and within the scope and accepted procedures to which you've agreed. 

If you find measured data from a reliable source, please feel free to post it here.  It's always interesting to see what others have to say, in this regard.
Logged
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

OSCP , GPEN, C|EH
Ketchup
Hero Member
*****
Offline Offline

Posts: 1006



View Profile
« Reply #2 on: March 12, 2010, 10:05:17 AM »
This is not really my area, but I think that this is a very business specific exercise.   I would approach this as a business impact exercise and assign some sort of qualitative numbering system to each one of those and the systems they affect.   I don't know if it is possible to quantify something like this, and assign a dollar amount for example.   I think that it is a manual effort, perhaps with the aide of some risk assessment software.   I also think that you would have to get more specific than just "0day attacks."   For example, a 0day DDOS attack can have a different impact on an application and revenue loss than an 0day XSS attack. 
Logged
~~~~~~~~~~~~~~
Ketchup
ethicalhack3r
Full Member
***
Offline Offline

Posts: 139


View Profile WWW
« Reply #3 on: March 12, 2010, 10:31:28 AM »
The unreleased OSSTMM v3.0 has a section (2.8 Error Handling) which gives information on calculating Auditor error. The acronym they use is TERM (Test Error Risk Margin). This calculation is carried out by the Auditor himself which of course is a biased view however if this is stated, TERM is still useful.

This still leaves:

0days
Scope
Future changes to the tested environment
Possibly more?
Logged
ajohnson
Recruiters
Hero Member
*
Offline Offline

Posts: 650


aka dynamik


View Profile WWW
« Reply #4 on: April 03, 2010, 09:04:37 AM »
Are you limiting this just to hacking-related attacks, or are you more interested in assess risk for all your information systems? A comprehensive risk assessment includes much more than what you mentioned. Even if you are just concerned with web apps/web servers, there is much more to consider. There are issues with availability, environment, employees (intentional/accidental damage), change management, etc. If you're interested, NIST Special Publication 800-30 is an excellent guide if that's what you're looking for: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

I like this book as well: http://www.amazon.com/Security-Risk-Assessment-Handbook-Assessments/dp/0849329981/ref=sr_1_1?ie=UTF8&s=books&qid=1270303390&sr=8-1

You will ideally perform an RA at least annually. We work primarily with financial institutions, which are required to do so. I would assume only a small percentage of other businesses actually adhere to that recommendation.
« Last Edit: April 03, 2010, 09:06:50 AM by dynamik » Logged
WIP: OSCP | www.infosiege.net | @infosiege

The day you stop learning is the day you start becoming obsolete.
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.16 | SMF © 2011, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.088 seconds with 22 queries.
 

gk_static-ad_feb2012.jpg
Global Knowledge: Build Security Skills to Protect & Defend

els_130x200fixed2.gif
eLearnSecurity Student Course Now Live!
5% Off with Code
ELS-EH-5

SANS Deals 4 EH-Netters
$150 OFF Any SANS Course in Any Format!
Coupon Code: EHN_Connect Including SANS Security West 2012 & SANSFIRE 2012
Recent Forum Topics

cbtnuggets_logo_125.jpg
Try CBT Nuggets Free!

Vote For EH-Net

Add to Technorati Favorites
technorati fave

 
         
Advertisement

© 2012 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.