IDS mailing list archives

RE: Intrusion Risk Assessment

From: "Rob Shein" <shoten () starpower net>
Date: Mon, 6 Jan 2003 19:35:42 -0500

The problem with this is, define "damage."  IDS systems are not aware of
the nature of what they defend.  An IIS exploit might be utterly useless
against an apache web server, but the IDS is not intrinically aware of
which servers are apache and which are IIS.  Add to that the fact that
such severity levels as "minor damage" or "minimal access to recover,"
are dependent upon the information stored on a machine (which no current
IDS could ever be cognizant of) as well as the role of that machine.

-----Original Message-----
From: Robert_Huber () bankone com [mailto:Robert_Huber () bankone com] 
Sent: Monday, January 06, 2003 12:54 PM
To: focus-ids () securityfocus com
Subject: Intrusion Risk Assessment

Anyone know of any IDS risk assessment matrixes out there?  
I'm looking for something like the following:

Rating                                Severity
1  No Damage                  a.      Not possible to exploit (or)
                              b.      No damage (or)
                              c.      Hoax

2 Harassment                  a.      Possible damage, 
unconfirmed (or)
                              b.      Temporarily shuts down 
services and/or temporarily prevents access to information

3 Minor Damage                        a.      Short-term impact (or)
                              b.      Exploit allows access 
to view files (or)
                              c.      Minimal effort required 
to recover

4 Moderate Damage             a.      The exploit is easy to 
perform (or)
                              b.      Important systems can 
be effected with administrative compromise (or)
                              c.      Exploit allows full 
access to files (or)
                              d.      Long-term effects, 
significant effort may be required to recover

5 Heavy Damage                a.      The exploit is easy to 
perform (and)
                              b.      An exploit will cause 
severe damage to multiple computers (and/or)
                              c.      Requires reinstallation 
or recovery from backup

Robert Huber
Bank One Information Security
Phone: 302-282-2234
Pager: 888-646-3502

**********************************************************************
This transmission may contain information that is privileged, 
confidential and/or exempt from disclosure under applicable 
law. If you are not the intended recipient, you are hereby 
notified that any disclosure, copying, distribution, or use 
of the information contained herein (including any reliance 
thereon) is STRICTLY PROHIBITED. If you received this 
transmission in error, please immediately contact the sender 
and destroy the material in its entirety, whether in 
electronic or hard copy format. Thank you
**********************************************************************

Current thread:

Intrusion Risk Assessment Robert_Huber (Jan 06)
- RE: Intrusion Risk Assessment Rob Shein (Jan 07)
- Re: Intrusion Risk Assessment Herve Debar (Jan 07)
- <Possible follow-ups>
- RE: Intrusion Risk Assessment Alan Shimel (Jan 07)
- Re: Intrusion Risk Assessment Fernando Cardoso (Jan 07)
- RE: Intrusion Risk Assessment Robert Buckley (Jan 07)
- FW: Intrusion Risk Assessment Peter Schwarz (Jan 07)
- re[2]: Intrusion Risk Assessment Richard Bennison (Jan 08)
  - re[2]: Intrusion Risk Assessment Ron Gula (Jan 10)
    - RE: VA/IDS Integration (Was: RE: re[2]: Intrusion Risk Assessment) David J. Meltzer (Jan 10)
- RE: Intrusion Risk Assessment Nicole Nicholson (Jan 08)
- RE: Intrusion Risk Assessment Fengmin Gong (Jan 21)