|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Jon Passki (jon.passki
hursk.com)
Date: Tue Dec 09 2008 - 13:55:07 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, Dec 9, 2008 at 11:45 PM, Dave Aitel <daveimmunityinc.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> One technique we're doing this week with a client is taking an attack
> tree and marking it up with dollar values. I.E. if you wanted to buy
> an 0day in X component, how much would it cost?
>
> This then is a simple summation to produce a "how much is it to get
> into the internal network from the internet" which the business can
> use to help them decide yay/nay on the project as a whole depending on
> their own view of the threat and the value of the information they are
> protecting.
>
> - -dave
>
>
Care to share the generalized outcome? Perhaps something like the client
chose a branch of 4 0days that had a value between $10,000 and $50,000?
Assuming you had a way to state x, y, & z 0days exist (even if you didn't
have access to them) with some level of certainty, then you probably have a
very valid method of at least quantifying exposure. Heck, depending upon
the level of certainty, I would pay you as a service to help me quantify my
clients' exposures.
Jon Passki
pgp: 1BB0 A946 927B 93C3 ED6A 0466 6692 6C2C 84BE 4122
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]