Dailydave mailing list archives
Re: Vuln scoring system anyone?
From: Jason <security () brvenik com>
Date: Thu, 03 Mar 2005 00:18:59 -0600
At the risk of having to buy yet another flame retardant suit...All this rating crap means nothing to people doing real work in real places with real resource constraints and trying to solve real problems with real (limited) money.
All you have to do is ask a few simple questions. 0 - Do I use it? - No, sweet! - Yes, see #1. 1 - Is it remote? - No, see #2. - Yes! - Can I patch it? - No, well fsck! That sucks, turn up monitoring. - Can I mitigate it? - No, well fsck. Make people pay attention. Wait for patch. - Yes! Get it done soon. - Yes! Get it done soon. 2 - Is it local? - No, sweet! ( never a reality ) - Yes! - Can I patch it? - No, well fsck! That sucks, turn up monitoring. - Can I mitigate it? - No, well fsck. Make people pay attention. Wait for patch. - Yes! Get it done soon. - Yes! Get it done soon. A pretty flow chart might be nice but you get the point.Yeeeeaaaaah. There are a fsckload of incrementals in there but that is a factor of risk/reward and the tolerance of an organisation. Good luck getting everyone to agree on that!!!
When you start thinking about vulnerability risk at this level of abstraction, you also need to start thinking about variables associated with the asset. These let you postulate towards other data such as the attack preferences of a would-be attacker exploiting the issue. What is their tolerance to risk, what additional resources does the attacker need to obtain to offset any inhibiting factors associated with a vulnerability (like needing to acquire an elevated level of initial access). If we lived in a world of equals where everyone shared the same resource and knowledge, maybe you could start basing your risk assessment on data like this, but that is obviously not the case.
But if you figure that out...How do you differentiate between a system that a CEO uses and the system the admin to the CEO uses and the system a receptionist uses??? I can tell you which one I am going after but most (normal) people get that swag wrong when questioned.
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Vuln scoring system anyone?, (continued)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Brian (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Blue Boar (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Brian (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Oliv (Mar 02)
- Re: Vuln scoring system anyone? Tom Parker (Mar 02)
- Re: Vuln scoring system anyone? Jason (Mar 02)
- Re: Vuln scoring system anyone? Kurt Seifried (Mar 02)
- RE: Vuln scoring system anyone? Ben Nagy (Mar 03)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Frank Knobbe (Mar 01)
- Re: Vuln scoring system anyone? Blue Boar (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)