IDS mailing list archives
RE: Intrusion Risk Assessment
From: Robert Buckley <rbuckley () synapsemail com>
Date: Tue, 7 Jan 2003 12:32:20 -0500
Many people like to use this equation: Scale from -10 through +10 (lethality + criticality) - (net_defense + host_defense) = attack success rate where lethality is the level of compromise the attack offers criticality defines the systems purpose, is it a core device or someone's workstation etc. net + host defense are self explanatory. I.e. Core Cisco router being attacked on the http port (There is a well known vulnerability here) (5 + 5) - ( 0 + 0 ) = 10 The probability of a successful attack is 10. It was a lethal attack, on a core device, where I had no net defense, nor any host defense. Let change the view... (5 + 5) - (5 + 5) = 0 The probability of a successful attack is 0. It was a lethal attack, on a core device, but I have acl's denying port 80 to this device, and the host doesn't run http services at all. One more example: netbios name mangling attack against a workstation (2 + 1) - (0 + 5) = -2 lethality is a denial of service, criticality is low because its a workstation I have no net defense but up to date on the patch that prevents the attack. The probability of success on this attack is -2 Of course, its up to the individual to put values on the parameters, so one analyst may have a different result than the next. Hope this helps you. rb. -----Original Message----- From: Rob Shein [mailto:shoten () starpower net] Sent: Monday, January 06, 2003 7:36 PM To: Robert_Huber () bankone com; focus-ids () securityfocus com Subject: RE: Intrusion Risk Assessment The problem with this is, define "damage." IDS systems are not aware of the nature of what they defend. An IIS exploit might be utterly useless against an apache web server, but the IDS is not intrinically aware of which servers are apache and which are IIS. Add to that the fact that such severity levels as "minor damage" or "minimal access to recover," are dependent upon the information stored on a machine (which no current IDS could ever be cognizant of) as well as the role of that machine.
-----Original Message----- From: Robert_Huber () bankone com [mailto:Robert_Huber () bankone com] Sent: Monday, January 06, 2003 12:54 PM To: focus-ids () securityfocus com Subject: Intrusion Risk Assessment Anyone know of any IDS risk assessment matrixes out there? I'm looking for something like the following: Rating Severity 1 No Damage a. Not possible to exploit (or) b. No damage (or) c. Hoax 2 Harassment a. Possible damage, unconfirmed (or) b. Temporarily shuts down services and/or temporarily prevents access to information 3 Minor Damage a. Short-term impact (or) b. Exploit allows access to view files (or) c. Minimal effort required to recover 4 Moderate Damage a. The exploit is easy to perform (or) b. Important systems can be effected with administrative compromise (or) c. Exploit allows full access to files (or) d. Long-term effects, significant effort may be required to recover 5 Heavy Damage a. The exploit is easy to perform (and) b. An exploit will cause severe damage to multiple computers (and/or) c. Requires reinstallation or recovery from backup Robert Huber Bank One Information Security Phone: 302-282-2234 Pager: 888-646-3502 ********************************************************************** This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you **********************************************************************
Current thread:
- Intrusion Risk Assessment Robert_Huber (Jan 06)
- RE: Intrusion Risk Assessment Rob Shein (Jan 07)
- Re: Intrusion Risk Assessment Herve Debar (Jan 07)
- <Possible follow-ups>
- RE: Intrusion Risk Assessment Alan Shimel (Jan 07)
- Re: Intrusion Risk Assessment Fernando Cardoso (Jan 07)
- RE: Intrusion Risk Assessment Robert Buckley (Jan 07)
- FW: Intrusion Risk Assessment Peter Schwarz (Jan 07)
- re[2]: Intrusion Risk Assessment Richard Bennison (Jan 08)
- re[2]: Intrusion Risk Assessment Ron Gula (Jan 10)
- RE: VA/IDS Integration (Was: RE: re[2]: Intrusion Risk Assessment) David J. Meltzer (Jan 10)
- re[2]: Intrusion Risk Assessment Ron Gula (Jan 10)
- RE: Intrusion Risk Assessment Nicole Nicholson (Jan 08)
- RE: Intrusion Risk Assessment Fengmin Gong (Jan 21)