HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 28 guests online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Web Applicationsarrow Calculating risk POST assesment?
EH-Net
May 24, 2013, 02:57:10 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Calculating risk POST assesment?  (Read 5251 times)
0 Members and 1 Guest are viewing this topic.
ethicalhack3r
Full Member
***
Offline Offline

Posts: 139


View Profile WWW
« on: March 12, 2010, 07:24:19 AM »
Hi,
This applies to both Network pen testing and web application assessments.

I was wondering if there had been any work done on calculating risk POST web app assessment or network pen testing?

There are a number of risks I can think of POST assessment:

0day vulnerabilities
Missed bugs due to time constraints
The skill/experience of the tester/s
Missed bugs due to tool/s not functioning as expected

Any help with this is much appreciated.

Thank you.
Logged
hayabusa
Hero Member
*****
Offline Offline

Posts: 1633



View Profile
« Reply #1 on: March 12, 2010, 07:31:11 AM »
I'm not sure if I've seen a study or data, specific to this.  But you're absolutely correct, with regards to the possibilities you could run into, POST assessment.

Tester's skill level, 0day's, time constraints, and even machines left out (intentionally or unintentionally) from the scope of the test are ALL items which could spring up.  Additionally, new services / servers / apps (web or not) are stood up at clients all the time, and folks make changes to their local machine configurations, etc.

While there's never going to be perfection in a penetration test, the key is finding and validating as much as possible, reliably, in the time permitted, and within the scope and accepted procedures to which you've agreed. 

If you find measured data from a reliable source, please feel free to post it here.  It's always interesting to see what others have to say, in this regard.
Logged
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

OSCE, OSCP , GPEN, C|EH
Ketchup
Hero Member
*****
Offline Offline

Posts: 1021



View Profile
« Reply #2 on: March 12, 2010, 10:05:17 AM »
This is not really my area, but I think that this is a very business specific exercise.   I would approach this as a business impact exercise and assign some sort of qualitative numbering system to each one of those and the systems they affect.   I don't know if it is possible to quantify something like this, and assign a dollar amount for example.   I think that it is a manual effort, perhaps with the aide of some risk assessment software.   I also think that you would have to get more specific than just "0day attacks."   For example, a 0day DDOS attack can have a different impact on an application and revenue loss than an 0day XSS attack. 
Logged
~~~~~~~~~~~~~~
Ketchup
ethicalhack3r
Full Member
***
Offline Offline

Posts: 139


View Profile WWW
« Reply #3 on: March 12, 2010, 10:31:28 AM »
The unreleased OSSTMM v3.0 has a section (2.8 Error Handling) which gives information on calculating Auditor error. The acronym they use is TERM (Test Error Risk Margin). This calculation is carried out by the Auditor himself which of course is a biased view however if this is stated, TERM is still useful.

This still leaves:

0days
Scope
Future changes to the tested environment
Possibly more?
Logged
ajohnson
Recruiters
Hero Member
*
Offline Offline

Posts: 1060


aka dynamik


View Profile WWW
« Reply #4 on: April 03, 2010, 09:04:37 AM »
Are you limiting this just to hacking-related attacks, or are you more interested in assess risk for all your information systems? A comprehensive risk assessment includes much more than what you mentioned. Even if you are just concerned with web apps/web servers, there is much more to consider. There are issues with availability, environment, employees (intentional/accidental damage), change management, etc. If you're interested, NIST Special Publication 800-30 is an excellent guide if that's what you're looking for: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

I like this book as well: http://www.amazon.com/Security-Risk-Assessment-Handbook-Assessments/dp/0849329981/ref=sr_1_1?ie=UTF8&s=books&qid=1270303390&sr=8-1

You will ideally perform an RA at least annually. We work primarily with financial institutions, which are required to do so. I would assume only a small percentage of other businesses actually adhere to that recommendation.
« Last Edit: April 03, 2010, 09:06:50 AM by dynamik » Logged
WIP: GCFA | www.infosiege.net | @infosiege

The day you stop learning is the day you start becoming obsolete.
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.054 seconds with 22 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.