Dailydave mailing list archives

Re: Vuln scoring system anyone?

From: Jason <security () brvenik com>
Date: Thu, 03 Mar 2005 00:18:59 -0600

At the risk of having to buy yet another flame retardant suit...

All this rating crap means nothing to people doing real work in realplaces with real resource constraints and trying to solve real problemswith real (limited) money.


All you have to do is ask a few simple questions.

0 - Do I use it?
   - No, sweet!
   - Yes, see #1.

1 - Is it remote?
   - No, see #2.
   - Yes!
    - Can I patch it?
     - No, well fsck! That sucks, turn up monitoring.
      - Can I mitigate it?
       - No, well fsck. Make people pay attention. Wait for patch.
       - Yes! Get it done soon.
     - Yes! Get it done soon.

2 - Is it local?
   - No, sweet! ( never a reality )
   - Yes!
    - Can I patch it?
     - No, well fsck! That sucks, turn up monitoring.
      - Can I mitigate it?
       - No, well fsck. Make people pay attention. Wait for patch.
       - Yes! Get it done soon.
     - Yes! Get it done soon.

A pretty flow chart might be nice but you get the point.

Yeeeeaaaaah. There are a fsckload of incrementals in there but that is afactor of risk/reward and the tolerance of an organisation. Good luckgetting everyone to agree on that!!!

When you start thinking about vulnerability risk at this level of
abstraction, you also need to start thinking about variables associated
with the asset. These let you postulate towards other data such as the
attack preferences of a would-be attacker exploiting the issue. What
is their tolerance to risk, what additional resources does the
attacker need to obtain to offset any inhibiting factors associated
with a vulnerability (like needing to acquire an elevated level of
initial access). If we lived in a world of equals where everyone
shared the same resource and knowledge, maybe you could start basing
your risk assessment on data like this, but that is obviously not the
case.


But if you figure that out...

How do you differentiate between a system that a CEO uses and the systemthe admin to the CEO uses and the system a receptionist uses??? I cantell you which one I am going after but most (normal) people get thatswag wrong when questioned.

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: Vuln scoring system anyone?, (continued)
- - - Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
    - Re: Vuln scoring system anyone? Brian (Mar 01)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
    - Re: Vuln scoring system anyone? Blue Boar (Mar 01)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
    - Re: Vuln scoring system anyone? Brian (Mar 01)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
    - Re: Vuln scoring system anyone? Oliv (Mar 02)
    - Re: Vuln scoring system anyone? Tom Parker (Mar 02)
    - Re: Vuln scoring system anyone? Jason (Mar 02)
    - Re: Vuln scoring system anyone? Kurt Seifried (Mar 02)
    - RE: Vuln scoring system anyone? Ben Nagy (Mar 03)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
    - Re: Vuln scoring system anyone? Frank Knobbe (Mar 01)
    - Re: Vuln scoring system anyone? Blue Boar (Mar 01)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- RE: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)