SlideShare a Scribd company logo

CVSS

Download as PPT, PDF
Christian Heinrich
Christian Heinrich

Delivered at the RMSIG of aisa.org.au on July 2007 and at RUXCON 2K6

Technology
1 of 15
Common Vulnerability Scoring System Christian Heinrich ASIA RMSIG July 2007
cmlh Currently Security Researcher – Defeating Network Intrusion Detection/Prevention and Forensics – Presented at RUXCON 2K5 and RUXCON 2K6 Former Security Manager – News Limited – DSD Gateway Certified Service Provider – Federal Government Endorsed Business Public Profile on LinkedIn - http://www.linkedin.com/in/ChristianHeinrich
Agenda 1. History from the VDF to CVSS v2 2. CVSS v2 from the End User’s Perspective 3. Caveats, Politics and other Traps :)
Vulnerability Disclosure Framework National Infrastructure Advisory Council (NIAC) Vulnerability Disclosure Working Group (VDWG) – 13 Jan 2004 Findings with Existing Methodologies from Microsoft, CERT, etc – Specific to Vendor x Product y not Vendor z Product y – No consideration to • Environment of End User • Time Line of Vulnerability
CVSS to CVSS v2 12 October 2004 - Vulnerability Scoring Working Sub Group of VDWG February 2005 - Presented at RSA by Mike Schiffman (Cisco) 11 May 2005 - NAIC Appointed Forum of Incident Response and Security Teams (FIRST) - FIRST formed Special Interest Group (CVSS-SIG) 20 June 2007 – CVSS v2
CVSS v2
Base Metrics Intrinsic to any given vulnerability that do not change over or in different environments 1. Access from Local Console or Remote Network via Bluetooth -> Internet 2. “Technical” Likelihood 3. Authentication “Technical” Impact to 4. Confidentiality, 5. Integrity and 6. Availability
Temporal Metrics Characteristics of the vulnerability which evolve over the lifetime of the vulnerability 1. Maturity of the Exploit i.e. Proof of Concept, Worm, etc? 2. Is a Patch and/or Workaround, Available? 3. Confidence in the Report?
Environmental Metrics Contain those characteristics of vulnerability which are tied to a specific implementation of the end user 1. Potential Collateral Damage to Critical Infrastructure? 2. Total number of Targets? “Business” Impact to 3. Confidentiality, 4. Integrity and 5. Availability
Scoring Calculators published via the “Scores and Calculators” Page at http://www.first.org/cvss Presentation of Base Metrics AV:[L,A,N]/AC:[H,M,L]/Au:[M,S,N]/C:[N,P,C]/I:[N,P,C]/A:[N,P,C] Presentation of Temporal Metrics E:[U,POC,F,H,ND]/RL:[OF,TF,W,U,ND]/RC:[UC,UR,C,ND] Presentation of Environmental Metrics CDP:[N,L,LM,MH,H,ND]/TD:[N,L,M,H,ND]/CR:[L,M,H,ND]/IR:[L,M,H,ND]/AR:[L,M,H,ND] Presentation of Base Metrics Example: AV:L/AC:M/Au:N/C:N/I:P/A:C
Caveats, Politics and other Traps :) Base Metrics Vendor’s “subjective” interpretation of Base Metrics “Independent” NIST National Vulnerability Database (NVD) Vendor publishes Base Score but withholds Base Metrics Derive Possible Base Metrics from Base Score with Fuzzer Attack Vector – Metric with Highest Numerical Value, not most common Some attacks e.g. XSS only considers Web Server, not Browser Authentication – Can be “reduced” due to certain implementations e.g. Token, S/KEY Considerations towards End User’s Environment – Probability of Deriving Authentication Credential – Range of Wireless Network? What if High Gain Antenna? What if Faraday Cage?
Caveats, Politics and other Traps :) Temporal Metrics “Will this affect my network range?”- No feed, real-time or otherwise, is provided Doesn’t Consider reduction in time due to “Binary Diff” and/or “Fuzzing” Environmental Metrics Target Distribution - Map “Connectivity” with Active and Passive Discovery Doesn’t Consider: - Cost to Implement Patch and/or Workaround - Technical Knowledge Required for Attack Complexity
Caveats, Politics and other Traps :) Scoring Developing “Fuzzer” to Derive All Scores by Calculating All Numerical Values Rounding to “Reduce” Score. Substitution – Different Metric Yet Same Score Derive Possible Metrics from Score Based on CVSS v1 Fuzzer Expect an Announcement from Jeff Jones (Microsoft) Come to the Security Interchange meeting later this year
Caveats, Politics and other Traps :) Lack of Representation: – No invitation to End Users and little from Security Researchers (e.g. Schiffman) – No lesson learnt by CERT The Horse has Bolted – First Impressions Last: – Optional Scores – Resistance from Initial Supporters such as Microsoft – CVE still in process of reclassifying vulnerabilities to updated schema Advocate to Vendor as it provides YOU with Advantages in removing Subjectivity from: – Priorities Remediation regardless of Vendor and/or Product and/or Technology – Objective Vulnerability Distribution Studies
Thanks John Greaves David Palmer & Westpac Chris Wood & Patchlink David Reinhold John Dale John Frisken

Recommended

NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
1&1
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best Practices
Kellep Charles
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
Hossein Yavari
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is on
Justin Henderson
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Management
n|u - The Open Security Community
 

Recommended

NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
1&1
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best Practices
Kellep Charles
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
Hossein Yavari
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is on
Justin Henderson
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Management
n|u - The Open Security Community
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)
Frances Coronel
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
Using the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingUsing the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modeling
Eric Jernigan MSIA, CISSP, CISM, CRISC
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
Priyanka Aash
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics
Mohammed Adam
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
Miriam Celi, CISSP, GISP, MSCS, MBA
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
Rise of software supply chain attack
Rise of software supply chain attackRise of software supply chain attack
Rise of software supply chain attack
Yadnyawalkya Tale
 
CISSP - Software Development Security
CISSP - Software Development SecurityCISSP - Software Development Security
CISSP - Software Development Security
Karthikeyan Dhayalan
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability Management
Marcelo Martins
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
Raghav Bisht
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You Buy
Fidelis Cybersecurity
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_application
Umut IŞIK
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
Kannan Ganapathy
 
INCIDENT RESPONSE CONCEPTS
INCIDENT RESPONSE CONCEPTSINCIDENT RESPONSE CONCEPTS
INCIDENT RESPONSE CONCEPTS
Sylvain Martinez
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
Priyanka Aash
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
Bhushan Gurav
 
Post dramatic stress disorder mum
Post dramatic stress disorder mumPost dramatic stress disorder mum
Post dramatic stress disorder mum
Jacqui Crane
 
Computerised Asia scoring for SCI- Nursing role
Computerised Asia scoring for SCI- Nursing roleComputerised Asia scoring for SCI- Nursing role
Computerised Asia scoring for SCI- Nursing role
All India Institute of Medical Sciences
 

More Related Content

What's hot

Using the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingUsing the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modeling
Eric Jernigan MSIA, CISSP, CISM, CRISC
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_application
Umut IŞIK
 

What's hot (20)

Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Using the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingUsing the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modeling
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Rise of software supply chain attack
Rise of software supply chain attackRise of software supply chain attack
Rise of software supply chain attack
 
CISSP - Software Development Security
CISSP - Software Development SecurityCISSP - Software Development Security
CISSP - Software Development Security
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability Management
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You Buy
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_application
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
 
INCIDENT RESPONSE CONCEPTS
INCIDENT RESPONSE CONCEPTSINCIDENT RESPONSE CONCEPTS
INCIDENT RESPONSE CONCEPTS
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 

Viewers also liked

Post dramatic stress disorder mum
Post dramatic stress disorder mumPost dramatic stress disorder mum
Post dramatic stress disorder mum
Jacqui Crane
 
12 rw principles of mangled extremity management
12 rw principles of mangled extremity management12 rw principles of mangled extremity management
12 rw principles of mangled extremity management
Pumsak Thamviriyarak
 
05 introduction to injury scoring systems
05 introduction to injury scoring systems05 introduction to injury scoring systems
05 introduction to injury scoring systems
Dang Thanh Tuan
 
Trauma In Special Populations: Geriatrics, Bariatrics, Pediatrics, and Pregna...
Trauma In Special Populations: Geriatrics, Bariatrics, Pediatrics, and Pregna...Trauma In Special Populations: Geriatrics, Bariatrics, Pediatrics, and Pregna...
Trauma In Special Populations: Geriatrics, Bariatrics, Pediatrics, and Pregna...
Rommie Duckworth
 
Trauma scoring 23 พค.2558
Trauma scoring 23 พค.2558Trauma scoring 23 พค.2558
Trauma scoring 23 พค.2558
Krongdai Unhasuta
 
Quality care of the severe trauma 14 พค.58
Quality care of the severe trauma 14 พค.58Quality care of the severe trauma 14 พค.58
Quality care of the severe trauma 14 พค.58
Krongdai Unhasuta
 
Trauma treatment skills for nurse
Trauma treatment skills for nurseTrauma treatment skills for nurse
Trauma treatment skills for nurse
Krongdai Unhasuta
 
Shock 090914002728 Phpapp02
Shock 090914002728 Phpapp02Shock 090914002728 Phpapp02
Shock 090914002728 Phpapp02
axix
 
Cauda equina syndrome - Dafydd Loughran
Cauda equina syndrome - Dafydd LoughranCauda equina syndrome - Dafydd Loughran
Cauda equina syndrome - Dafydd Loughran
welshbarbers
 
Spinal cord injury
Spinal cord injurySpinal cord injury
Spinal cord injury
Zahid Khan
 

Viewers also liked (20)

Post dramatic stress disorder mum
Post dramatic stress disorder mumPost dramatic stress disorder mum
Post dramatic stress disorder mum
 
Computerised Asia scoring for SCI- Nursing role
Computerised Asia scoring for SCI- Nursing roleComputerised Asia scoring for SCI- Nursing role
Computerised Asia scoring for SCI- Nursing role
 
Limb salvage
Limb salvage Limb salvage
Limb salvage
 
Trauma in special Populations
Trauma in special PopulationsTrauma in special Populations
Trauma in special Populations
 
Geriatric trauma special consideration
Geriatric trauma special consideration Geriatric trauma special consideration
Geriatric trauma special consideration
 
12 rw principles of mangled extremity management
12 rw principles of mangled extremity management12 rw principles of mangled extremity management
12 rw principles of mangled extremity management
 
spinal cord - Cauda vs. conus
spinal cord - Cauda vs. conusspinal cord - Cauda vs. conus
spinal cord - Cauda vs. conus
 
05 introduction to injury scoring systems
05 introduction to injury scoring systems05 introduction to injury scoring systems
05 introduction to injury scoring systems
 
Trauma In Special Populations: Geriatrics, Bariatrics, Pediatrics, and Pregna...
Trauma In Special Populations: Geriatrics, Bariatrics, Pediatrics, and Pregna...Trauma In Special Populations: Geriatrics, Bariatrics, Pediatrics, and Pregna...
Trauma In Special Populations: Geriatrics, Bariatrics, Pediatrics, and Pregna...
 
Brown syndrome
Brown syndromeBrown syndrome
Brown syndrome
 
Spinal cord injury assessment
Spinal cord injury assessmentSpinal cord injury assessment
Spinal cord injury assessment
 
Trauma scoring 23 พค.2558
Trauma scoring 23 พค.2558Trauma scoring 23 พค.2558
Trauma scoring 23 พค.2558
 
CAUDA EQUINA VS CONUS MEDULLARIS SYNDROME
CAUDA EQUINA VS CONUS MEDULLARIS SYNDROMECAUDA EQUINA VS CONUS MEDULLARIS SYNDROME
CAUDA EQUINA VS CONUS MEDULLARIS SYNDROME
 
Quality care of the severe trauma 14 พค.58
Quality care of the severe trauma 14 พค.58Quality care of the severe trauma 14 พค.58
Quality care of the severe trauma 14 พค.58
 
Trauma treatment skills for nurse
Trauma treatment skills for nurseTrauma treatment skills for nurse
Trauma treatment skills for nurse
 
Shock 090914002728 Phpapp02
Shock 090914002728 Phpapp02Shock 090914002728 Phpapp02
Shock 090914002728 Phpapp02
 
Mangled extremity and its Management
Mangled extremity and its Management Mangled extremity and its Management
Mangled extremity and its Management
 
Cauda equina syndrome - Dafydd Loughran
Cauda equina syndrome - Dafydd LoughranCauda equina syndrome - Dafydd Loughran
Cauda equina syndrome - Dafydd Loughran
 
Spinal cord injury
Spinal cord injurySpinal cord injury
Spinal cord injury
 
Multiple trauma in special situations
Multiple trauma in special situationsMultiple trauma in special situations
Multiple trauma in special situations
 

Similar to CVSS

Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci compliance
Shiva Hullavarad
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci compliance
Shiva Hullavarad
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And Solutions
guest609a5ed
 
Software Security in the Real World
Software Security in the Real WorldSoftware Security in the Real World
Software Security in the Real World
Mark Curphey
 
Nazira Omuralieva - Susan Kaufman - Improving Application Security - Vulnerab...
Nazira Omuralieva - Susan Kaufman - Improving Application Security - Vulnerab...Nazira Omuralieva - Susan Kaufman - Improving Application Security - Vulnerab...
Nazira Omuralieva - Susan Kaufman - Improving Application Security - Vulnerab...
Source Conference
 
TECHNICAL REPORTCMUSEI-99-TR-017ESC-TR-99-017Operat.docx
TECHNICAL REPORTCMUSEI-99-TR-017ESC-TR-99-017Operat.docxTECHNICAL REPORTCMUSEI-99-TR-017ESC-TR-99-017Operat.docx
TECHNICAL REPORTCMUSEI-99-TR-017ESC-TR-99-017Operat.docx
mattinsonjanel
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session
Ryan Faircloth
 

Similar to CVSS (20)

Eu 2016 114 - 8
Eu 2016 114 - 8Eu 2016 114 - 8
Eu 2016 114 - 8
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci compliance
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci compliance
 
IDRC-Davos-250814-R.Filippini-final
IDRC-Davos-250814-R.Filippini-finalIDRC-Davos-250814-R.Filippini-final
IDRC-Davos-250814-R.Filippini-final
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And Solutions
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And Solutions
 
Supply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorSupply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy Sector
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
 
MSRC - Funcionamiento
MSRC - FuncionamientoMSRC - Funcionamiento
MSRC - Funcionamiento
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
 
Software Security in the Real World
Software Security in the Real WorldSoftware Security in the Real World
Software Security in the Real World
 
Nazira Omuralieva - Susan Kaufman - Improving Application Security - Vulnerab...
Nazira Omuralieva - Susan Kaufman - Improving Application Security - Vulnerab...Nazira Omuralieva - Susan Kaufman - Improving Application Security - Vulnerab...
Nazira Omuralieva - Susan Kaufman - Improving Application Security - Vulnerab...
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk Management
 
TECHNICAL REPORTCMUSEI-99-TR-017ESC-TR-99-017Operat.docx
TECHNICAL REPORTCMUSEI-99-TR-017ESC-TR-99-017Operat.docxTECHNICAL REPORTCMUSEI-99-TR-017ESC-TR-99-017Operat.docx
TECHNICAL REPORTCMUSEI-99-TR-017ESC-TR-99-017Operat.docx
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use Cases
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session
 

More from Christian Heinrich

More from Christian Heinrich (10)

Maltego "Have I been pwned?"
Maltego "Have I been pwned?"Maltego "Have I been pwned?"
Maltego "Have I been pwned?"
 
Maltego Breach
Maltego BreachMaltego Breach
Maltego Breach
 
tit
tittit
tit
 
ssh
sshssh
ssh
 
BSAMMBO
BSAMMBOBSAMMBO
BSAMMBO
 
BSIMM
BSIMMBSIMM
BSIMM
 
skipfish
skipfishskipfish
skipfish
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
PA-DSS
PA-DSSPA-DSS
PA-DSS
 
Download Indexed Cache
Download Indexed CacheDownload Indexed Cache
Download Indexed Cache
 

Recently uploaded

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Recently uploaded (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 

CVSS

  • 1. Common Vulnerability Scoring System Christian Heinrich ASIA RMSIG July 2007
  • 2. cmlh Currently Security Researcher – Defeating Network Intrusion Detection/Prevention and Forensics – Presented at RUXCON 2K5 and RUXCON 2K6 Former Security Manager – News Limited – DSD Gateway Certified Service Provider – Federal Government Endorsed Business Public Profile on LinkedIn - http://www.linkedin.com/in/ChristianHeinrich
  • 3. Agenda 1. History from the VDF to CVSS v2 2. CVSS v2 from the End User’s Perspective 3. Caveats, Politics and other Traps :)
  • 4. Vulnerability Disclosure Framework National Infrastructure Advisory Council (NIAC) Vulnerability Disclosure Working Group (VDWG) – 13 Jan 2004 Findings with Existing Methodologies from Microsoft, CERT, etc – Specific to Vendor x Product y not Vendor z Product y – No consideration to • Environment of End User • Time Line of Vulnerability
  • 5. CVSS to CVSS v2 12 October 2004 - Vulnerability Scoring Working Sub Group of VDWG February 2005 - Presented at RSA by Mike Schiffman (Cisco) 11 May 2005 - NAIC Appointed Forum of Incident Response and Security Teams (FIRST) - FIRST formed Special Interest Group (CVSS-SIG) 20 June 2007 – CVSS v2
  • 7. Base Metrics Intrinsic to any given vulnerability that do not change over or in different environments 1. Access from Local Console or Remote Network via Bluetooth -> Internet 2. “Technical” Likelihood 3. Authentication “Technical” Impact to 4. Confidentiality, 5. Integrity and 6. Availability
  • 8. Temporal Metrics Characteristics of the vulnerability which evolve over the lifetime of the vulnerability 1. Maturity of the Exploit i.e. Proof of Concept, Worm, etc? 2. Is a Patch and/or Workaround, Available? 3. Confidence in the Report?
  • 9. Environmental Metrics Contain those characteristics of vulnerability which are tied to a specific implementation of the end user 1. Potential Collateral Damage to Critical Infrastructure? 2. Total number of Targets? “Business” Impact to 3. Confidentiality, 4. Integrity and 5. Availability
  • 10. Scoring Calculators published via the “Scores and Calculators” Page at http://www.first.org/cvss Presentation of Base Metrics AV:[L,A,N]/AC:[H,M,L]/Au:[M,S,N]/C:[N,P,C]/I:[N,P,C]/A:[N,P,C] Presentation of Temporal Metrics E:[U,POC,F,H,ND]/RL:[OF,TF,W,U,ND]/RC:[UC,UR,C,ND] Presentation of Environmental Metrics CDP:[N,L,LM,MH,H,ND]/TD:[N,L,M,H,ND]/CR:[L,M,H,ND]/IR:[L,M,H,ND]/AR:[L,M,H,ND] Presentation of Base Metrics Example: AV:L/AC:M/Au:N/C:N/I:P/A:C
  • 11. Caveats, Politics and other Traps :) Base Metrics Vendor’s “subjective” interpretation of Base Metrics “Independent” NIST National Vulnerability Database (NVD) Vendor publishes Base Score but withholds Base Metrics Derive Possible Base Metrics from Base Score with Fuzzer Attack Vector – Metric with Highest Numerical Value, not most common Some attacks e.g. XSS only considers Web Server, not Browser Authentication – Can be “reduced” due to certain implementations e.g. Token, S/KEY Considerations towards End User’s Environment – Probability of Deriving Authentication Credential – Range of Wireless Network? What if High Gain Antenna? What if Faraday Cage?
  • 12. Caveats, Politics and other Traps :) Temporal Metrics “Will this affect my network range?”- No feed, real-time or otherwise, is provided Doesn’t Consider reduction in time due to “Binary Diff” and/or “Fuzzing” Environmental Metrics Target Distribution - Map “Connectivity” with Active and Passive Discovery Doesn’t Consider: - Cost to Implement Patch and/or Workaround - Technical Knowledge Required for Attack Complexity
  • 13. Caveats, Politics and other Traps :) Scoring Developing “Fuzzer” to Derive All Scores by Calculating All Numerical Values Rounding to “Reduce” Score. Substitution – Different Metric Yet Same Score Derive Possible Metrics from Score Based on CVSS v1 Fuzzer Expect an Announcement from Jeff Jones (Microsoft) Come to the Security Interchange meeting later this year
  • 14. Caveats, Politics and other Traps :) Lack of Representation: – No invitation to End Users and little from Security Researchers (e.g. Schiffman) – No lesson learnt by CERT The Horse has Bolted – First Impressions Last: – Optional Scores – Resistance from Initial Supporters such as Microsoft – CVE still in process of reclassifying vulnerabilities to updated schema Advocate to Vendor as it provides YOU with Advantages in removing Subjectivity from: – Priorities Remediation regardless of Vendor and/or Product and/or Technology – Objective Vulnerability Distribution Studies
  • 15. Thanks John Greaves David Palmer & Westpac Chris Wood & Patchlink David Reinhold John Dale John Frisken

Editor's Notes

  1. AISO Web Server
  2. Accusations of Subjectivity Due to Lack of Consistent Score Vulnerability Disclosure Framework P8 Scoring - To protect the nation’s critical information infrastructure, the Council believes reliable, consistent vulnerability scoring methods are essential. The Study Group evaluated alternative procedures actively employed by several stakeholders to categorize reported vulnerabilities. Existing vulnerability scoring methods vary widely. To protect the nation’s critical information infrastructure, the Working Group concluded that reliable, consistent vulnerability scoring methods are essential. Unfortunately, the existing diversity in the methods used to identify vulnerabilities and assign scoring metrics presents a contradictory risk—disagreements provide malicious actors increased time to exploit the vulnerability or increase the damages resulting from existing exploitative situations. Therefore, the NIAC commissioned a research task to develop a consistent scoring methodology. The results of the Scoring Subgroup’s work will be published separately when complete. P 37 Support development and use of a universally compatible vulnerability scoring methodology. When complete, such a scoring method should: Employ standardized threat scoring classification schemes structured around accepted criteria by which to assess and evaluate vulnerabilities. The goal of standardized threat scoring is to promote understanding by a range of private and public sector researchers regarding reported vulnerabilities. Allow for local variations, depending on impact, environment, culture, and roles of those developing scores. Permit ongoing adjustment of an assigned score or set of scores in order to reflect research results or the impact of confirmed exploitations or remediation efforts. Incorporate procedures for independent validation of the suitability of any score or set of scores assigned to a vulnerability, along with a means for improper results to be adjusted in a neutral manner.
  3. Recommendations Support use of CVSS by all Federal Departments and Agencies by calculating Environmental Metrics. Encourage DHS to promote the use of CVSS to the global community, including critical infrastructure owners and outside of the USA NIAC appointed to identify organization to function as the permanent home for CVSS. NAIC appointed FIRST 11th May 2005 Significant Technical Expertise Experience in Managing Vulnerabilities Maintains a Global Focus Renamed again CVSS v2 to CVSS v1.1 to CVSS v2
  4. Base Metrics “ Intrinsic to any given vulnerability that do not change over or in different environments ” Six Metrics Scored by Vendor Temporal Metrics “ Characteristics of the vulnerability which evolve over the lifetime of the vulnerability ” Three Metrics Scored by Vendor and/or FIRST Member Environmental Metrics “ Contain those characteristics of vulnerability which are tied to a specific implementation of the end user. ” Five Metrics Scored by End User
  5. Six Metrics Scored by Vendor Changes from CVSS v1 Authentication includes multiple use of same credentials Access Vector – Bluetooth. 802.11 Wireless, etc
  6. Three Metrics Scored by Vendor and/or FIRST Member
  7. Six Metrics Scored by Vendor Changes from CVSS v1 Authentication includes multiple use of same credentials Access Vector – Bluetooth. 802.11 Wireless, etc
  8. Reduced Privileges of Running Process
  9. Binary Diff and Fuzzing weren’t considered by Vulnerability Disclosure Framework either!
  10. Jeff Jones Complies Vulnerability Statistics for Microsoft.
  11. Vulnerability Disclosure Framework – Equal Involvement from All Parties
  12. Vulnerability Disclosure Framework – Equal Involvement from All Parties