Re: [Dailydave] Faster, smashter.

["Jon Passki" <[EMAIL PROTECTED]>]

On Tue, Dec 9, 2008 at 11:45 PM, Dave Aitel <[EMAIL PROTECTED]> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

One technique we're doing this week with a client is taking an attack
tree and marking it up with dollar values. I.E. if you wanted to buy
an 0day in X component, how much would it cost?

This then is a simple summation to produce a "how much is it to get
into the internal network from the internet" which the business can
use to help them decide yay/nay on the project as a whole depending on
their own view of the threat and the value of the information they are
protecting.

- -dave

Care to share the generalized outcome?  Perhaps something like the client chose a branch of 4 0days that had a value between $10,000 and $50,000?  Assuming you had a way to state x, y, & z 0days exist (even if you didn't have access to them) with some level of certainty, then you probably have a very valid method of at least quantifying exposure.  Heck, depending upon the level of certainty, I would pay you as a service to help me quantify my clients' exposures.

Jon Passki
pgp: 1BB0 A946 927B 93C3 ED6A  0466 6692 6C2C 84BE 4122
_______________________________________________
Dailydave mailing list
[EMAIL PROTECTED]
http://lists.immunitysec.com/mailman/listinfo/dailydave