"R. DuFresne" <dufresneat_private> said: >there is prolly alot of confusion with various rating methods in place >depending upon whence one seeks such info, nessus I think uses params >much like you state here, I think mitre.org uses something a tad >different If you're referring to CVE, then we do not use any particular risk value. CVE descriptions will often include information like remote/local exploitation and the effects (code execution, DoS, etc.) Many CVE consumers do ask us to include such a value, which demonstrates the desire for this type of information, but unfortunately it's outside CVE's scope as a naming standard. I think there's a general need for some consistent "risk level" that can be used by everyone for the "typical" enterprise. The same vulnerability can get varying risk levels across different vulnerability databases. Also, different enterprises will assign different priorities to the same vulnerability based on things like their own policies, threat environment, risk aversion, etc. (Hopefully I don't cause a terminological discussion by throwing out words like those! :-) And there will be disagreements about subtle or complex issues, like many web browser vulnerabilities. Still, it would be nice to have something for the typical enterprise that reflects generally accepted principles like "unauthenticated root access over the network is really, really, really bad." >while SAN' weekly vulnerability assessments look to rate much as you >do here. I kinda like the SANS rating methid and would suggest that >might work as a template for you to go by. If you're referring to the weekly "SANS Critical Vulnerability Analysis" reports, I like it too. They use a 4-point scale that distinguishes between "CRITICAL" vulnerabilities and "HIGH" risk vulnerabilities, where "critical" issues may be subject to easy exploitation in widespread software with root/admin level privileges. I've tried tackling the risk level problem. I thought that a 5-point scale might be nice, but could not cleanly separate the "middle" items, then independently developed something similar to the SANS levels, for whatever that's worth. Per Niila Albinsson <perat_private> said: >I do believe there would also be a need for classification of a >vulnerability could be exploited remotely or/and locally. One difficulty here is that there's not just "over the network" and "on the machine." There are other factors like the amount of authentication required and the scope of access provided to the application/system/network - e.g. do admin privileges on a bulletin board CGI program translate into any damage beyond the scope of the board, e.g. the system itself? How do you handle bugs in file formats where the files could be transferred "remotely" or "locally?" Should there be a distinction between "access to system via its software" and physical access, e.g. to the raw disk? So, even simple terms like "remote" and "local" will have widely varying definitions. For exapmle, just recently I observed a security bulletin that talked about "local access" for an issue that could only be exploited by sending packets to the internal interface of a router. - Steve ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Feb 12 2003 - 13:29:27 PST