3 Replies Latest reply on Nov 30, 2011 10:19 AM by John M Sopp

    Vulnerability categorization-by impact?

    John M Sopp

      As we know, many vendors describe the business impact of a vulnerability as the potential of harm if an attack were to occur.

      Some Examples: Remote Code Execution, Information disclosure, etc...

      Turning a blind eye to the value of such metrics in an actionable sense:

      • Has anyone in the community been tasked with creating metrics based on these classifications?
      • Any tips on how to accomplish this?
      • Any tips on how to bend csc results to lend itself to this type of metric?

       

      -John

        • 1. Re: Vulnerability categorization-by impact?

          It's not really what you asked for, but you can report on vulnerabilities using their CVSS vector information.

          This was described in one of the recent brownbag sessions; I think it was the most recent one.

           

          J.

          • 2. Re: Vulnerability categorization-by impact?
            John M Sopp

            Thanks J, not completely what i'm looking for but thanks fo the reply!

             

            I did submit a FMR for this, however, I will still need to devise an interim fix...so all help is still appreciated!

            I think the standardized metric most useful would be CVSS Impact type..

            Example below using CVE-2011-2429    from NVD....

             

            Vulnerability Summary for CVE-2011-2429             

            Original release date:09/22/2011

            Last revised:10/26/2011        

            Source:         US-CERT/NIST          

            Overview       

            Adobe Flash Player before 10.3.183.10 on Windows, Mac OS X, Linux, and Solaris, and before 10.3.186.7 on Android, allows attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors, related to a "security control bypass

            Impact

             

            CVSS Severity (version 2.0):

             

            CVSS v2 Base Score:5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) (legend)          

             

            Impact Subscore:      2.9

            .....

             

            Impact Type:Allows unauthorized disclosure of information

             

             

             

             

            Message was edited by: john.m.sopp on 11/9/11 12:37:44 PM EST

             

            Message was edited by: john.m.sopp on 11/10/11 11:04:36 AM EST
            • 3. Re: Vulnerability categorization-by impact?
              John M Sopp

              For anyone else looking to do this, I created a homegrown method to categorize vulnerabilites into one or more of the following categories:

                • System Compromise
                • Elevation of Privilege
                • Denial of service
                • Unauthorized Information Disclosure
                • Content Spoofing
                • Session Hijacking
                • Man in the middle attack
                • Other

              Send me a private message or email if you would like to know how.

               

               

               

               

                                    
              System Compromise
              Elevation of Privilege
              Denial of service
              Unauthorized Information Disclosure
              Content Spoofing
              Session Hijacking
              Man in the middle attack
              Other