Dailydave mailing list archives
FW: The CrateMaster2000 of Security.
From: Des Ward <security () senticom co uk>
Date: Sun, 28 Jan 2007 10:27:40 +0000
The biggest issue with CVSS is that the environmental score is far too brief and confusing to make things workable. We need to ask a number of additional questions to get any kind of use out of the scoring mechanism. Take a remotely exploitable vulnerability that needs client interaction, only when changing the remotely exploitable score to to no do you start getting an accurate score. Rgds Des -----Original Message----- From: "Ron Gula" <rgula () tenablesecurity com> To: dailydave () lists immunitysec com Sent: 27/01/07 12:50 Subject: Re: [Dailydave] The CrateMaster2000 of Security. Robert Graham wrote:
--- Anton Chuvakin <anton () chuvakin org> wrote:So, I am curious, how is CVSS like a CrateMaster 2000?You can't create definitive metrics for things like this. Down the road from road from Singapore is Kuala Lumpur (KL), home to the Pentronas Towers. After their completion in 1998, they were hailed as the "World Tallest Building" (taking the honor away from the Sears Tower in Chicago). This designation depended upon changing the criteria for what it meant to be the world's tallest. You'd think that such criteria would be pretty simple and objective, just measure from top to bottom. In reality, it's complex because you can't define where the bottom is, where the top is, or even whether something is a building. After looking at the following diagram, you'll see why many people still consider the Petronas towers quite a bit shorter than the Sears Tower: http://www.skyscraperpage.com/diagrams/?25384417 CVSS is the same way. It tries to reduce something to a single number (or set of numbers) that is inherently complex. It gives the appearance of scientific legitimacy to something that is as arbitrary as a game or movie review. ("I give this vuln two thumbs up!!!"). The fundamental problem with cyber-security metrics is that the things we can easily quantify are rarely interesting, and the things that are interesting are hard to quantify. The pseudo-science of security metrics goes ahead and quantifies them anyway.
I disagree. Regardless of how you measure the height of the sears tower and the Pentronas towers, they are both really, really tall and are easily the tallest buildings in their cities. I'm happy with CVSS for classifying vulnerabilities. I agree there still is some subjectiveness to scoring a vulnerability, but most of this comes from how familiar or accurate a person performing the score is with it. And if there is disagreement with the score, the plugin-values for how the score was computed are also available. I've seen some organizations say they will only fix vulns with scores larger than "x". I think that is short sighted, but better than nothing. I'd be more comfortable with lower scores for critical systems, systems that held certain types of sensitive data and so on. Ron Gula, CTO Tenable Network Security _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- The CrateMaster2000 of Security. Dave Aitel (Jan 25)
- Re: The CrateMaster2000 of Security. Anton Chuvakin (Jan 25)
- Re: The CrateMaster2000 of Security. andre (Jan 26)
- Re: The CrateMaster2000 of Security. Robert Graham (Jan 26)
- Re: The CrateMaster2000 of Security. Ron Gula (Jan 27)
- <Possible follow-ups>
- FW: The CrateMaster2000 of Security. Des Ward (Jan 28)
- Re: FW: The CrateMaster2000 of Security. Florian Weimer (Jan 30)
- Re: FW: The CrateMaster2000 of Security. Des Ward (Jan 30)
- Re: The CrateMaster2000 of Security. Anton Chuvakin (Jan 25)