.

Calculating risk POST assesment?

<<

ethicalhack3r

Full Member
Full Member

Posts: 139

Joined: Fri Nov 28, 2008 11:29 am

Post Fri Mar 12, 2010 8:24 am

Calculating risk POST assesment?

Hi,
This applies to both Network pen testing and web application assessments.

I was wondering if there had been any work done on calculating risk POST web app assessment or network pen testing?

There are a number of risks I can think of POST assessment:

0day vulnerabilities
Missed bugs due to time constraints
The skill/experience of the tester/s
Missed bugs due to tool/s not functioning as expected

Any help with this is much appreciated.

Thank you.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri Mar 12, 2010 8:31 am

Re: Calculating risk POST assesment?

I'm not sure if I've seen a study or data, specific to this.  But you're absolutely correct, with regards to the possibilities you could run into, POST assessment.

Tester's skill level, 0day's, time constraints, and even machines left out (intentionally or unintentionally) from the scope of the test are ALL items which could spring up.  Additionally, new services / servers / apps (web or not) are stood up at clients all the time, and folks make changes to their local machine configurations, etc.

While there's never going to be perfection in a penetration test, the key is finding and validating as much as possible, reliably, in the time permitted, and within the scope and accepted procedures to which you've agreed. 

If you find measured data from a reliable source, please feel free to post it here.  It's always interesting to see what others have to say, in this regard.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri Mar 12, 2010 11:05 am

Re: Calculating risk POST assesment?

This is not really my area, but I think that this is a very business specific exercise.  I would approach this as a business impact exercise and assign some sort of qualitative numbering system to each one of those and the systems they affect.  I don't know if it is possible to quantify something like this, and assign a dollar amount for example.  I think that it is a manual effort, perhaps with the aide of some risk assessment software.  I also think that you would have to get more specific than just "0day attacks."  For example, a 0day DDOS attack can have a different impact on an application and revenue loss than an 0day XSS attack. 
~~~~~~~~~~~~~~
Ketchup
<<

ethicalhack3r

Full Member
Full Member

Posts: 139

Joined: Fri Nov 28, 2008 11:29 am

Post Fri Mar 12, 2010 11:31 am

Re: Calculating risk POST assesment?

The unreleased OSSTMM v3.0 has a section (2.8 Error Handling) which gives information on calculating Auditor error. The acronym they use is TERM (Test Error Risk Margin). This calculation is carried out by the Auditor himself which of course is a biased view however if this is stated, TERM is still useful.

This still leaves:

0days
Scope
Future changes to the tested environment
Possibly more?
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Sat Apr 03, 2010 9:04 am

Re: Calculating risk POST assesment?

Are you limiting this just to hacking-related attacks, or are you more interested in assess risk for all your information systems? A comprehensive risk assessment includes much more than what you mentioned. Even if you are just concerned with web apps/web servers, there is much more to consider. There are issues with availability, environment, employees (intentional/accidental damage), change management, etc. If you're interested, NIST Special Publication 800-30 is an excellent guide if that's what you're looking for: http://csrc.nist.gov/publications/nistp ... 800-30.pdf

I like this book as well: http://www.amazon.com/Security-Risk-Ass ... 390&sr=8-1

You will ideally perform an RA at least annually. We work primarily with financial institutions, which are required to do so. I would assume only a small percentage of other businesses actually adhere to that recommendation.
Last edited by dynamik on Sat Apr 03, 2010 9:06 am, edited 1 time in total.
The day you stop learning is the day you start becoming obsolete.

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software