FW: The CrateMaster2000 of Security.

[Des Ward <security () senticom co uk>]

The biggest issue with CVSS is that the environmental score is far too brief and confusing to make things workable. We 
need to ask a number of additional questions to get any kind of use out of the scoring mechanism. Take a remotely 
exploitable vulnerability that needs client interaction, only when changing the remotely exploitable score to to no do 
you start getting an accurate score.

Rgds

Des 

-----Original Message-----
From: "Ron Gula" <rgula () tenablesecurity com>
To: dailydave () lists immunitysec com
Sent: 27/01/07 12:50
Subject: Re: [Dailydave] The CrateMaster2000 of Security.

Robert Graham wrote:
> --- Anton Chuvakin <anton () chuvakin org> wrote:
> > So, I am curious, how is CVSS like a CrateMaster 2000?
>
> You can't create definitive metrics for things like this. 
>
> Down the road from road from Singapore is Kuala Lumpur (KL), home to the
> Pentronas Towers. After their completion in 1998, they were hailed as the
> "World Tallest Building" (taking the honor away from the Sears Tower in
> Chicago). This designation depended upon changing the criteria for what it
> meant to be the world's tallest. You'd think that such criteria would be pretty
> simple and objective, just measure from top to bottom. In reality, it's complex
> because you can't define where the bottom is, where the top is, or even whether
> something is a building. After looking at the following diagram, you'll see why
> many people still consider the Petronas towers quite a bit shorter than the
> Sears Tower:
>
> http://www.skyscraperpage.com/diagrams/?25384417
>
> CVSS is the same way. It tries to reduce something to a single number (or set
> of numbers) that is inherently complex. It gives the appearance of scientific
> legitimacy to something that is as arbitrary as a game or movie review. ("I
> give this vuln two thumbs up!!!").
>
> The fundamental problem with cyber-security metrics is that the things we can
> easily quantify are rarely interesting, and the things that are interesting are
> hard to quantify. The pseudo-science of security metrics goes ahead and
> quantifies them anyway.

I disagree. Regardless of how you measure the height of the sears tower
and the Pentronas towers, they are both really, really tall and are
easily the tallest buildings in their cities.

I'm happy with CVSS for classifying vulnerabilities. I agree there still
is some subjectiveness to scoring a vulnerability, but most of this
comes from how familiar or accurate a person performing the score is
with it. And if there is disagreement with the score, the plugin-values
for how the score was computed are also available.

I've seen some organizations say they will only fix vulns with scores
larger than "x". I think that is short sighted, but better than nothing.
 I'd be more comfortable with lower scores for critical systems, systems
that held certain types of sensitive data and so on.

Ron Gula, CTO
Tenable Network Security















_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave