Christian Heinrich, profile picture
Uploaded byChristian Heinrich
PPT, PDF2,151 views

CVSS

The document discusses the Common Vulnerability Scoring System (CVSS). It provides a history of CVSS and describes the development of CVSS version 2. It outlines the base, temporal, and environmental metrics used in CVSS scoring. It notes some caveats in CVSS scoring, including subjective interpretations by vendors and a lack of representation from some groups. It also discusses politics around CVSS scoring and challenges in initial adoption.

Embed presentation

Downloaded 39 times
Common Vulnerability Scoring System Christian Heinrich ASIA RMSIG July 2007
cmlh Currently Security Researcher – Defeating Network Intrusion Detection/Prevention and Forensics – Presented at RUXCON 2K5 and RUXCON 2K6 Former Security Manager – News Limited – DSD Gateway Certified Service Provider – Federal Government Endorsed Business Public Profile on LinkedIn - http://www.linkedin.com/in/ChristianHeinrich
Agenda 1. History from the VDF to CVSS v2 2. CVSS v2 from the End User’s Perspective 3. Caveats, Politics and other Traps :)
Vulnerability Disclosure Framework National Infrastructure Advisory Council (NIAC) Vulnerability Disclosure Working Group (VDWG) – 13 Jan 2004 Findings with Existing Methodologies from Microsoft, CERT, etc – Specific to Vendor x Product y not Vendor z Product y – No consideration to • Environment of End User • Time Line of Vulnerability
CVSS to CVSS v2 12 October 2004 - Vulnerability Scoring Working Sub Group of VDWG February 2005 - Presented at RSA by Mike Schiffman (Cisco) 11 May 2005 - NAIC Appointed Forum of Incident Response and Security Teams (FIRST) - FIRST formed Special Interest Group (CVSS-SIG) 20 June 2007 – CVSS v2
CVSS v2
Base Metrics Intrinsic to any given vulnerability that do not change over or in different environments 1. Access from Local Console or Remote Network via Bluetooth -> Internet 2. “Technical” Likelihood 3. Authentication “Technical” Impact to 4. Confidentiality, 5. Integrity and 6. Availability
Temporal Metrics Characteristics of the vulnerability which evolve over the lifetime of the vulnerability 1. Maturity of the Exploit i.e. Proof of Concept, Worm, etc? 2. Is a Patch and/or Workaround, Available? 3. Confidence in the Report?
Environmental Metrics Contain those characteristics of vulnerability which are tied to a specific implementation of the end user 1. Potential Collateral Damage to Critical Infrastructure? 2. Total number of Targets? “Business” Impact to 3. Confidentiality, 4. Integrity and 5. Availability
Scoring Calculators published via the “Scores and Calculators” Page at http://www.first.org/cvss Presentation of Base Metrics AV:[L,A,N]/AC:[H,M,L]/Au:[M,S,N]/C:[N,P,C]/I:[N,P,C]/A:[N,P,C] Presentation of Temporal Metrics E:[U,POC,F,H,ND]/RL:[OF,TF,W,U,ND]/RC:[UC,UR,C,ND] Presentation of Environmental Metrics CDP:[N,L,LM,MH,H,ND]/TD:[N,L,M,H,ND]/CR:[L,M,H,ND]/IR:[L,M,H,ND]/AR:[L,M,H,ND] Presentation of Base Metrics Example: AV:L/AC:M/Au:N/C:N/I:P/A:C
Caveats, Politics and other Traps :) Base Metrics Vendor’s “subjective” interpretation of Base Metrics “Independent” NIST National Vulnerability Database (NVD) Vendor publishes Base Score but withholds Base Metrics Derive Possible Base Metrics from Base Score with Fuzzer Attack Vector – Metric with Highest Numerical Value, not most common Some attacks e.g. XSS only considers Web Server, not Browser Authentication – Can be “reduced” due to certain implementations e.g. Token, S/KEY Considerations towards End User’s Environment – Probability of Deriving Authentication Credential – Range of Wireless Network? What if High Gain Antenna? What if Faraday Cage?
Caveats, Politics and other Traps :) Temporal Metrics “Will this affect my network range?”- No feed, real-time or otherwise, is provided Doesn’t Consider reduction in time due to “Binary Diff” and/or “Fuzzing” Environmental Metrics Target Distribution - Map “Connectivity” with Active and Passive Discovery Doesn’t Consider: - Cost to Implement Patch and/or Workaround - Technical Knowledge Required for Attack Complexity
Caveats, Politics and other Traps :) Scoring Developing “Fuzzer” to Derive All Scores by Calculating All Numerical Values Rounding to “Reduce” Score. Substitution – Different Metric Yet Same Score Derive Possible Metrics from Score Based on CVSS v1 Fuzzer Expect an Announcement from Jeff Jones (Microsoft) Come to the Security Interchange meeting later this year
Caveats, Politics and other Traps :) Lack of Representation: – No invitation to End Users and little from Security Researchers (e.g. Schiffman) – No lesson learnt by CERT The Horse has Bolted – First Impressions Last: – Optional Scores – Resistance from Initial Supporters such as Microsoft – CVE still in process of reclassifying vulnerabilities to updated schema Advocate to Vendor as it provides YOU with Advantages in removing Subjectivity from: – Priorities Remediation regardless of Vendor and/or Product and/or Technology – Objective Vulnerability Distribution Studies
Thanks John Greaves David Palmer & Westpac Chris Wood & Patchlink David Reinhold John Dale John Frisken

More Related Content

PDF
Threat Modelling
byn|u - The Open Security Community
 
PPT
Secure code practices
byHina Rawal
 
PDF
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
PDF
Introduction to MITRE ATT&CK
byArpan Raval
 
PPTX
Vulnerabilities in modern web applications
byNiyas Nazar
 
PDF
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
byEdureka!
 
PPTX
Secure coding practices
byScott Hurrey
 
PDF
Cloud security
byn|u - The Open Security Community
 
Threat Modelling
byn|u - The Open Security Community
 
Secure code practices
byHina Rawal
 
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
Introduction to MITRE ATT&CK
byArpan Raval
 
Vulnerabilities in modern web applications
byNiyas Nazar
 
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
byEdureka!
 
Secure coding practices
byScott Hurrey
 
Cloud security
byn|u - The Open Security Community
 

What's hot

PDF
REST API Pentester's perspective
bySecuRing
 
PPTX
The Indicators of Compromise
byTomasz Jakubowski
 
PPTX
OWASP Top 10 2021 What's New
byMichael Furman
 
PDF
Introduction to Web Application Penetration Testing
byNetsparker
 
PPTX
Introduction To Vulnerability Assessment & Penetration Testing
byRaghav Bisht
 
PPT
Introduction to Web Application Penetration Testing
byAnurag Srivastava
 
PPTX
Cybersecurity Attack Vectors: How to Protect Your Organization
byTriCorps Technologies
 
PDF
Ch 10: Hacking Web Servers
bySam Bowne
 
PPTX
Introduction to penetration testing
byNezar Alazzabi
 
PPT
Introduction To OWASP
byMarco Morana
 
PPTX
Security testing
byKhizra Sammad
 
PPT
Application Security
byReggie Niccolo Santos
 
PPTX
Zero trust Architecture
byAddWeb Solution Pvt. Ltd.
 
PDF
Application Security - Your Success Depends on it
byWSO2
 
PDF
OWASP API Security Top 10 Examples
by42Crunch
 
PPTX
Directory Traversal & File Inclusion Attacks
byRaghav Bisht
 
PPTX
Intro to Security in SDLC
byTjylen Veselyj
 
PPTX
Linux privilege escalation 101
byRashid feroz
 
PPTX
Cyber kill chain
byAnkita Ganguly
 
PDF
Windows logging cheat sheet
byMichael Gough
 
REST API Pentester's perspective
bySecuRing
 
The Indicators of Compromise
byTomasz Jakubowski
 
OWASP Top 10 2021 What's New
byMichael Furman
 
Introduction to Web Application Penetration Testing
byNetsparker
 
Introduction To Vulnerability Assessment & Penetration Testing
byRaghav Bisht
 
Introduction to Web Application Penetration Testing
byAnurag Srivastava
 
Cybersecurity Attack Vectors: How to Protect Your Organization
byTriCorps Technologies
 
Ch 10: Hacking Web Servers
bySam Bowne
 
Introduction to penetration testing
byNezar Alazzabi
 
Introduction To OWASP
byMarco Morana
 
Security testing
byKhizra Sammad
 
Application Security
byReggie Niccolo Santos
 
Zero trust Architecture
byAddWeb Solution Pvt. Ltd.
 
Application Security - Your Success Depends on it
byWSO2
 
OWASP API Security Top 10 Examples
by42Crunch
 
Directory Traversal & File Inclusion Attacks
byRaghav Bisht
 
Intro to Security in SDLC
byTjylen Veselyj
 
Linux privilege escalation 101
byRashid feroz
 
Cyber kill chain
byAnkita Ganguly
 
Windows logging cheat sheet
byMichael Gough
 

Viewers also liked

PPTX
Post dramatic stress disorder mum
byJacqui Crane
 
PPTX
Computerised Asia scoring for SCI- Nursing role
byAll India Institute of Medical Sciences
 
PPT
Limb salvage
byorthoprince
 
PPTX
Trauma in special Populations
byRashid Abuelhassan
 
PPTX
Geriatric trauma special consideration
byDr Abdul sherwani
 
PPTX
12 rw principles of mangled extremity management
byPumsak Thamviriyarak
 
DOC
spinal cord - Cauda vs. conus
byKurian Joseph
 
PPT
05 introduction to injury scoring systems
byDang Thanh Tuan
 
PPTX
Trauma In Special Populations: Geriatrics, Bariatrics, Pediatrics, and Pregna...
byRommie Duckworth
 
PPTX
Brown syndrome
byManal AlRomeih
 
PPTX
Spinal cord injury assessment
byDeepak Anap
 
PDF
Trauma scoring 23 พค.2558
byKrongdai Unhasuta
 
PPTX
CAUDA EQUINA VS CONUS MEDULLARIS SYNDROME
byshuchij10
 
PDF
Quality care of the severe trauma 14 พค.58
byKrongdai Unhasuta
 
PDF
Trauma treatment skills for nurse
byKrongdai Unhasuta
 
PPT
Shock 090914002728 Phpapp02
byaxix
 
PPTX
Mangled extremity and its Management
bySiddhartha Naru
 
PPTX
Cauda equina syndrome - Dafydd Loughran
bywelshbarbers
 
PPTX
Spinal cord injury
byZahid Khan
 
PPT
Multiple trauma in special situations
bytaem
 
Post dramatic stress disorder mum
byJacqui Crane
 
Computerised Asia scoring for SCI- Nursing role
byAll India Institute of Medical Sciences
 
Limb salvage
byorthoprince
 
Trauma in special Populations
byRashid Abuelhassan
 
Geriatric trauma special consideration
byDr Abdul sherwani
 
12 rw principles of mangled extremity management
byPumsak Thamviriyarak
 
spinal cord - Cauda vs. conus
byKurian Joseph
 
05 introduction to injury scoring systems
byDang Thanh Tuan
 
Trauma In Special Populations: Geriatrics, Bariatrics, Pediatrics, and Pregna...
byRommie Duckworth
 
Brown syndrome
byManal AlRomeih
 
Spinal cord injury assessment
byDeepak Anap
 
Trauma scoring 23 พค.2558
byKrongdai Unhasuta
 
CAUDA EQUINA VS CONUS MEDULLARIS SYNDROME
byshuchij10
 
Quality care of the severe trauma 14 พค.58
byKrongdai Unhasuta
 
Trauma treatment skills for nurse
byKrongdai Unhasuta
 
Shock 090914002728 Phpapp02
byaxix
 
Mangled extremity and its Management
bySiddhartha Naru
 
Cauda equina syndrome - Dafydd Loughran
bywelshbarbers
 
Spinal cord injury
byZahid Khan
 
Multiple trauma in special situations
bytaem
 

Similar to CVSS

PDF
Cvss guide file
bymudyna
 
PPTX
Classification of vulnerabilities
byMayur Mehta
 
PDF
Vulnerability Management Scoring Systems
bySecurity B-Sides
 
PPTX
16 CVSS16 CVSS16 CVSS16 CVSS16 CVSS16 CVSS.pptx
byabhimannyubanerjee
 
PDF
Health-ISAC Risk-Based Approach to Vulnerability Prioritization [EN].pdf
bySnarky Security
 
PPTX
SoftwareQualityModelsandSecurityn_l.pptx
bysaifulislamswe
 
DOCX
Common Vulnerability Scoring System v3.0User GuideThe C.docx
bymccormicknadine86
 
PPTX
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
byKymberlee Price
 
PDF
Fix What Matters: BSidesDetroit 2014
byMichael Roytman
 
PDF
Fix What Matters
byEd Bellis
 
PPT
SLVA - Security monitoring and reporting itweb workshop
bySLVA Information Security
 
PDF
Verizon 2015 DBIR VM portion
byTawnia Beckwith
 
PDF
Adventures in a Decade of Tracking and Consolidating Security Vulnerabilities
byMarc Ruef
 
PDF
Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vuln...
byArea41
 
PDF
BSidesSF 2014 Fix What Matters:Why CVSS Sucks
byEd Bellis
 
PDF
BsidesSF 2014 Fix What Matters
byMichael Roytman
 
PPTX
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
byAlexander Leonov
 
PDF
Security in Computing and IT
byKomalah Nair
 
PPTX
OpenChain Webinar: Universal CVSS Calculator
byShane Coughlan
 
PPT
pptAJECGYW9qopptAJECGYW9qopptAJECGYW9qopptAJECGYW9qo.ppt
byabhimannyubanerjee
 
Cvss guide file
bymudyna
 
Classification of vulnerabilities
byMayur Mehta
 
Vulnerability Management Scoring Systems
bySecurity B-Sides
 
16 CVSS16 CVSS16 CVSS16 CVSS16 CVSS16 CVSS.pptx
byabhimannyubanerjee
 
Health-ISAC Risk-Based Approach to Vulnerability Prioritization [EN].pdf
bySnarky Security
 
SoftwareQualityModelsandSecurityn_l.pptx
bysaifulislamswe
 
Common Vulnerability Scoring System v3.0User GuideThe C.docx
bymccormicknadine86
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
byKymberlee Price
 
Fix What Matters: BSidesDetroit 2014
byMichael Roytman
 
Fix What Matters
byEd Bellis
 
SLVA - Security monitoring and reporting itweb workshop
bySLVA Information Security
 
Verizon 2015 DBIR VM portion
byTawnia Beckwith
 
Adventures in a Decade of Tracking and Consolidating Security Vulnerabilities
byMarc Ruef
 
Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vuln...
byArea41
 
BSidesSF 2014 Fix What Matters:Why CVSS Sucks
byEd Bellis
 
BsidesSF 2014 Fix What Matters
byMichael Roytman
 
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
byAlexander Leonov
 
Security in Computing and IT
byKomalah Nair
 
OpenChain Webinar: Universal CVSS Calculator
byShane Coughlan
 
pptAJECGYW9qopptAJECGYW9qopptAJECGYW9qopptAJECGYW9qo.ppt
byabhimannyubanerjee
 

More from Christian Heinrich

PPTX
Maltego "Have I been pwned?"
byChristian Heinrich
 
PPTX
Maltego Breach
byChristian Heinrich
 
KEY
tit
byChristian Heinrich
 
KEY
ssh
byChristian Heinrich
 
PDF
BSAMMBO
byChristian Heinrich
 
PPT
BSIMM
byChristian Heinrich
 
KEY
skipfish
byChristian Heinrich
 
PPT
OWASP Top Ten
byChristian Heinrich
 
KEY
PA-DSS
byChristian Heinrich
 
PPT
Download Indexed Cache
byChristian Heinrich
 
Maltego "Have I been pwned?"
byChristian Heinrich
 
Maltego Breach
byChristian Heinrich
 
tit
byChristian Heinrich
 
ssh
byChristian Heinrich
 
BSAMMBO
byChristian Heinrich
 
BSIMM
byChristian Heinrich
 
skipfish
byChristian Heinrich
 
OWASP Top Ten
byChristian Heinrich
 
PA-DSS
byChristian Heinrich
 
Download Indexed Cache
byChristian Heinrich
 

Recently uploaded

PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PPTX
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
PPTX
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 

CVSS

  • 1.
    Common Vulnerability ScoringSystem Christian Heinrich ASIA RMSIG July 2007
  • 2.
    cmlh Currently Security Researcher – Defeating Network Intrusion Detection/Prevention and Forensics – Presented at RUXCON 2K5 and RUXCON 2K6 Former Security Manager – News Limited – DSD Gateway Certified Service Provider – Federal Government Endorsed Business Public Profile on LinkedIn - http://www.linkedin.com/in/ChristianHeinrich
  • 3.
    Agenda 1. History fromthe VDF to CVSS v2 2. CVSS v2 from the End User’s Perspective 3. Caveats, Politics and other Traps :)
  • 4.
    Vulnerability Disclosure Framework NationalInfrastructure Advisory Council (NIAC) Vulnerability Disclosure Working Group (VDWG) – 13 Jan 2004 Findings with Existing Methodologies from Microsoft, CERT, etc – Specific to Vendor x Product y not Vendor z Product y – No consideration to • Environment of End User • Time Line of Vulnerability
  • 5.
    CVSS to CVSSv2 12 October 2004 - Vulnerability Scoring Working Sub Group of VDWG February 2005 - Presented at RSA by Mike Schiffman (Cisco) 11 May 2005 - NAIC Appointed Forum of Incident Response and Security Teams (FIRST) - FIRST formed Special Interest Group (CVSS-SIG) 20 June 2007 – CVSS v2
  • 6.
  • 7.
    Base Metrics Intrinsic toany given vulnerability that do not change over or in different environments 1. Access from Local Console or Remote Network via Bluetooth -> Internet 2. “Technical” Likelihood 3. Authentication “Technical” Impact to 4. Confidentiality, 5. Integrity and 6. Availability
  • 8.
    Temporal Metrics Characteristics ofthe vulnerability which evolve over the lifetime of the vulnerability 1. Maturity of the Exploit i.e. Proof of Concept, Worm, etc? 2. Is a Patch and/or Workaround, Available? 3. Confidence in the Report?
  • 9.
    Environmental Metrics Contain thosecharacteristics of vulnerability which are tied to a specific implementation of the end user 1. Potential Collateral Damage to Critical Infrastructure? 2. Total number of Targets? “Business” Impact to 3. Confidentiality, 4. Integrity and 5. Availability
  • 10.
    Scoring Calculators published viathe “Scores and Calculators” Page at http://www.first.org/cvss Presentation of Base Metrics AV:[L,A,N]/AC:[H,M,L]/Au:[M,S,N]/C:[N,P,C]/I:[N,P,C]/A:[N,P,C] Presentation of Temporal Metrics E:[U,POC,F,H,ND]/RL:[OF,TF,W,U,ND]/RC:[UC,UR,C,ND] Presentation of Environmental Metrics CDP:[N,L,LM,MH,H,ND]/TD:[N,L,M,H,ND]/CR:[L,M,H,ND]/IR:[L,M,H,ND]/AR:[L,M,H,ND] Presentation of Base Metrics Example: AV:L/AC:M/Au:N/C:N/I:P/A:C
  • 11.
    Caveats, Politics andother Traps :) Base Metrics Vendor’s “subjective” interpretation of Base Metrics “Independent” NIST National Vulnerability Database (NVD) Vendor publishes Base Score but withholds Base Metrics Derive Possible Base Metrics from Base Score with Fuzzer Attack Vector – Metric with Highest Numerical Value, not most common Some attacks e.g. XSS only considers Web Server, not Browser Authentication – Can be “reduced” due to certain implementations e.g. Token, S/KEY Considerations towards End User’s Environment – Probability of Deriving Authentication Credential – Range of Wireless Network? What if High Gain Antenna? What if Faraday Cage?
  • 12.
    Caveats, Politics andother Traps :) Temporal Metrics “Will this affect my network range?”- No feed, real-time or otherwise, is provided Doesn’t Consider reduction in time due to “Binary Diff” and/or “Fuzzing” Environmental Metrics Target Distribution - Map “Connectivity” with Active and Passive Discovery Doesn’t Consider: - Cost to Implement Patch and/or Workaround - Technical Knowledge Required for Attack Complexity
  • 13.
    Caveats, Politics andother Traps :) Scoring Developing “Fuzzer” to Derive All Scores by Calculating All Numerical Values Rounding to “Reduce” Score. Substitution – Different Metric Yet Same Score Derive Possible Metrics from Score Based on CVSS v1 Fuzzer Expect an Announcement from Jeff Jones (Microsoft) Come to the Security Interchange meeting later this year
  • 14.
    Caveats, Politics andother Traps :) Lack of Representation: – No invitation to End Users and little from Security Researchers (e.g. Schiffman) – No lesson learnt by CERT The Horse has Bolted – First Impressions Last: – Optional Scores – Resistance from Initial Supporters such as Microsoft – CVE still in process of reclassifying vulnerabilities to updated schema Advocate to Vendor as it provides YOU with Advantages in removing Subjectivity from: – Priorities Remediation regardless of Vendor and/or Product and/or Technology – Objective Vulnerability Distribution Studies
  • 15.
    Thanks John Greaves David Palmer& Westpac Chris Wood & Patchlink David Reinhold John Dale John Frisken

Editor's Notes

  • #3 AISO Web Server
  • #5 Accusations of Subjectivity Due to Lack of Consistent Score Vulnerability Disclosure Framework P8 Scoring - To protect the nation’s critical information infrastructure, the Council believes reliable, consistent vulnerability scoring methods are essential. The Study Group evaluated alternative procedures actively employed by several stakeholders to categorize reported vulnerabilities. Existing vulnerability scoring methods vary widely. To protect the nation’s critical information infrastructure, the Working Group concluded that reliable, consistent vulnerability scoring methods are essential. Unfortunately, the existing diversity in the methods used to identify vulnerabilities and assign scoring metrics presents a contradictory risk—disagreements provide malicious actors increased time to exploit the vulnerability or increase the damages resulting from existing exploitative situations. Therefore, the NIAC commissioned a research task to develop a consistent scoring methodology. The results of the Scoring Subgroup’s work will be published separately when complete. P 37 Support development and use of a universally compatible vulnerability scoring methodology. When complete, such a scoring method should: Employ standardized threat scoring classification schemes structured around accepted criteria by which to assess and evaluate vulnerabilities. The goal of standardized threat scoring is to promote understanding by a range of private and public sector researchers regarding reported vulnerabilities. Allow for local variations, depending on impact, environment, culture, and roles of those developing scores. Permit ongoing adjustment of an assigned score or set of scores in order to reflect research results or the impact of confirmed exploitations or remediation efforts. Incorporate procedures for independent validation of the suitability of any score or set of scores assigned to a vulnerability, along with a means for improper results to be adjusted in a neutral manner.
  • #6 Recommendations Support use of CVSS by all Federal Departments and Agencies by calculating Environmental Metrics. Encourage DHS to promote the use of CVSS to the global community, including critical infrastructure owners and outside of the USA NIAC appointed to identify organization to function as the permanent home for CVSS. NAIC appointed FIRST 11th May 2005 Significant Technical Expertise Experience in Managing Vulnerabilities Maintains a Global Focus Renamed again CVSS v2 to CVSS v1.1 to CVSS v2
  • #7 Base Metrics “ Intrinsic to any given vulnerability that do not change over or in different environments ” Six Metrics Scored by Vendor Temporal Metrics “ Characteristics of the vulnerability which evolve over the lifetime of the vulnerability ” Three Metrics Scored by Vendor and/or FIRST Member Environmental Metrics “ Contain those characteristics of vulnerability which are tied to a specific implementation of the end user. ” Five Metrics Scored by End User
  • #8 Six Metrics Scored by Vendor Changes from CVSS v1 Authentication includes multiple use of same credentials Access Vector – Bluetooth. 802.11 Wireless, etc
  • #9 Three Metrics Scored by Vendor and/or FIRST Member
  • #10 Six Metrics Scored by Vendor Changes from CVSS v1 Authentication includes multiple use of same credentials Access Vector – Bluetooth. 802.11 Wireless, etc
  • #12 Reduced Privileges of Running Process
  • #13 Binary Diff and Fuzzing weren’t considered by Vulnerability Disclosure Framework either!
  • #14 Jeff Jones Complies Vulnerability Statistics for Microsoft.
  • #15 Vulnerability Disclosure Framework – Equal Involvement from All Parties
  • #16 Vulnerability Disclosure Framework – Equal Involvement from All Parties