Re: Vulnebrability level definition

From: Per Niila Albinsson (perat_private)
Date: Tue Feb 11 2003 - 13:57:27 PST

Next message: Joseph W. Shaw II: "Re: dsniff-like tool?"

Previous message: kevin mckay: "linux l0pht"
Next in thread: Damir Rajnovic: "Re: Vulnebrability level definition"
Reply: Damir Rajnovic: "Re: Vulnebrability level definition"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi

Perhaps you could be helped by Vigilantes classification:

---cut starts here---
High Risk 
A high risk vulnerability provides direct access to an organization's private 
assets, providing the potential for theft, deletion or alteration of those 
assets. 

Medium Risk 
A medium risk vulnerability provides access to an organization's private 
assets in combination with one or more other vulnerabilities. By exploiting 
multiple medium risk vulnerabilities, an attacker will have the capability 
for theft, deletion or alteration of an organization's assets. 

VIGILANTe also considers denial-of-service attacks to be medium risk 
vulnerabilities.

Low Risk
 A low risk vulnerability does not lead directly to access of an 
organization's private assets, but provides a excessive information that 
might help an attacker gain unauthorized access. 
---cut ends here---

Source: http://www.vigilante.com/securescan/perimeter/sample_report/

I do believe there would also be a need for classification of a vulnerability 
could be exploited remotely or/and locally.

There would also be a need for probablity which I do guess is very subjectivem 
but do depends of the customers enviroment. The probability for someone 
exploiting a vulnerabliity would be large on a public accessible server, 
medium for a server on the internal network, and low on a network with no 
users.

Best regards,

Per Niila Albinsson

On Tuesday 11 February 2003 17.40, artimanat_private wrote:
> I need a good definition for the levels of severity related with
> vulnerabilities
> I'm using Very High, High, Mid , Low, Warning
>
> Any documentation, definition or Internet URL will be appreciated
>
> Tks
>
> Andres M
>
>
>
> ---------------------------------------------------------------------------
>- This list is provided by the SecurityFocus Security Intelligence Alert
> (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/

-- 
=====================
Per Niila Albinsson
perat_private
=====================

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Joseph W. Shaw II: "Re: dsniff-like tool?"
Previous message: kevin mckay: "linux l0pht"
Next in thread: Damir Rajnovic: "Re: Vulnebrability level definition"
Reply: Damir Rajnovic: "Re: Vulnebrability level definition"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 11 2003 - 17:33:08 PST