Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: [Dailydave] Faster, smashter.
.

  • To: Dave Aitel <[EMAIL PROTECTED]>
  • Subject: Re: [Dailydave] Faster, smashter.
  • From: Halvar Flake <[EMAIL PROTECTED]>
  • Date: Tue, 09 Dec 2008 18:21:33 +0100
  • Cc: [EMAIL PROTECTED]
  • In-reply-to: <[EMAIL PROTECTED]>
  • References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
.
 
Hey all,

> One technique we're doing this week with a client is taking an attack
> tree and marking it up with dollar values. I.E. if you wanted to buy
> an 0day in X component, how much would it cost?
>
> This then is a simple summation to produce a "how much is it to get
> into the internal network from the internet" which the business can
> use to help them decide yay/nay on the project as a whole depending on
> their own view of the threat and the value of the information they are
> protecting.
Sounds quite reasonable. It's also one of the pro arguments for having
(public)
vulnerability markets: They provide planners with price information for
attack
tools, and thus allow more informed decisions.

Cheers,
Halvar
PS: I am not advocating unrestricted OTC vulnerability trading with this,
just pointing out that having pricing information publically available
is very
useful for planners

_______________________________________________
Dailydave mailing list
[EMAIL PROTECTED]
http://lists.immunitysec.com/mailman/listinfo/dailydave
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.