|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Rafal 
IsHackingYou.com ()
Date: Tue Dec 09 2008 - 09:14:54 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
That's brilliant Dave - but where are you getting your numbers? Are you
using a public source, are you using top-secret ImmunityInc research or...?
I'd love to get that source if you're willing to share. It's all about real
numbers!
__
Rafal M. Los
IT Security - Response | Mitigation | Strategy
E-mail: rafal.atishackingyou.dotcom
- Blog: http://preachsecurity.blogspot.com
--------------------------------------------------
From: "Dave Aitel" <daveimmunityinc.com>
Sent: Tuesday, December 09, 2008 8:45 AM
To: <dailydavelists.immunityinc.com>
Subject: Re: [Dailydave] Faster, smashter.
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> One technique we're doing this week with a client is taking an attack
> tree and marking it up with dollar values. I.E. if you wanted to buy
> an 0day in X component, how much would it cost?
>
> This then is a simple summation to produce a "how much is it to get
> into the internal network from the internet" which the business can
> use to help them decide yay/nay on the project as a whole depending on
> their own view of the threat and the value of the information they are
> protecting.
>
> - -dave
>
>
> Halvar Flake wrote:
>> Hey all,
>>
>> It seems that discussions in ITsec are periodic -- the same
>> discussions and same arguments come up again and again.
>>
>> 1. Of course attackers use new vulnerabilities. It is the nature of
>> offense. Defense is done "to the maximum of current knowledge".
>> Offense, by it's nature, has to expand on the status quo.
>>
>> 2. How do you simulate an attack with a new vulnerability if you
>> don't have one ?
>>
>> Well, military folks do wargames all the time without actually
>> using up the arsenal they have on the shelves. Network attacks
>> should probably be done in a similar manner -- have an umpire, and
>> give the attacking team a few "0day cards". With these cards they
>> get high-probability code execution for a piece of software of
>> their choice.
>>
>> The pentest then proceeds like a game, but can be conducted on the
>> real network, too.
>>
>> But I am repeating myself ...
>>
>> Cheers, Halvar _______________________________________________
>> Dailydave mailing list Dailydavelists.immunitysec.com
>> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFJPoSCtehAhL0gheoRAqofAJ0Yvic/Ro6dRr+xWLavp+DizANyAACfWUXc
> JRFeXEvy4EJeg5gkuXxC2ZU=
> =6PWU
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dailydave mailing list
> Dailydavelists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]