http://risktical.com/2008/09/03/risk-and-cvss-post-3/ Assessing, Articulating & Quantifying Information Security Risk Fri, 04 Jun 2010 19:07:42 +0000 hourly 1 http://wordpress.com/ http://risktical.com/2008/09/03/risk-and-cvss-post-3/#comment-61 Chris Hayes Wed, 03 Sep 2008 12:53:17 +0000 http://risktical.wordpress.com/?p=62#comment-61 @Tomas – A vulnerability and an exploit need to exist in order for someone to attack. There is a whole separate debate about whether or not a vulnerability is truly a vulnerability if there is no exploit available. I do not want to debate that. My thoughts with the whole report confidence metric is that it can be used as contributing factor to FAIR’s “threat event frequency” and “threat capability” taxonomy elements. For example, the lower the report confidence level of the vulnerability / exploit – the more reasonable it might be to err on a lower “threat event frequency” and a lower “threat capability”; the inverse for a higher confidence level. Ultimately, it will come down to the assessor’s subject matter expertise of his/her environment and the risk landscape for his/her organization at the time; so a lower report confidence level could actually have very little influence on a higher “threat event frequency” or “threat capability” FAIR value. @Tomas – A vulnerability and an exploit need to exist in order for someone to attack. There is a whole separate debate about whether or not a vulnerability is truly a vulnerability if there is no exploit available. I do not want to debate that. My thoughts with the whole report confidence metric is that it can be used as contributing factor to FAIR’s “threat event frequency” and “threat capability” taxonomy elements. For example, the lower the report confidence level of the vulnerability / exploit – the more reasonable it might be to err on a lower “threat event frequency” and a lower “threat capability”; the inverse for a higher confidence level. Ultimately, it will come down to the assessor’s subject matter expertise of his/her environment and the risk landscape for his/her organization at the time; so a lower report confidence level could actually have very little influence on a higher “threat event frequency” or “threat capability” FAIR value.

]]> http://risktical.com/2008/09/03/risk-and-cvss-post-3/#comment-60 Tomas Olsson Wed, 03 Sep 2008 11:37:35 +0000 http://risktical.wordpress.com/?p=62#comment-60 So you mean that if the (software) vulnerability exists it is more likely that somebody will attack and at the same time it is more likely that the attack will succeed? Well, that might be true. I might have to change my mind... :) Hmmm, the only question I have is whether both are affected or just the Threat Capability? So you mean that if the (software) vulnerability exists it is more likely that somebody will attack and at the same time it is more likely that the attack will succeed? Well, that might be true. I might have to change my mind… Hmmm, the only question I have is whether both are affected or just the Threat Capability?

]]> http://risktical.com/2008/09/03/risk-and-cvss-post-3/#comment-59 Chris Hayes Wed, 03 Sep 2008 11:16:37 +0000 http://risktical.wordpress.com/?p=62#comment-59 @Tomas – Thanks for the comment. I reviewed that section of the post and there is room for clarification. For every CVSS metric, I am asking myself, “How is this metric relevant to a risk assessment?” The CVSS text clearly states that this metric measures the degree of confidence in the existence of the vulnerability and credibility of the known technical details. I cannot help myself and will probably regret typing this – but the first example that came to mind is the US military invasion of Iraq (reports of MWD, etc...). What does this mean to me? The less factual information I have about vulnerability and how it can be exploited the more confident I may feel in assigning a lower “threat event frequency” (lower contact / action) and lower “threat capability” in FAIR – instead of unnecessarily raising red flags because of rumors. @Tomas – Thanks for the comment. I reviewed that section of the post and there is room for clarification. For every CVSS metric, I am asking myself, “How is this metric relevant to a risk assessment?” The CVSS text clearly states that this metric measures the degree of confidence in the existence of the vulnerability and credibility of the known technical details. I cannot help myself and will probably regret typing this – but the first example that came to mind is the US military invasion of Iraq (reports of MWD, etc…). What does this mean to me? The less factual information I have about vulnerability and how it can be exploited the more confident I may feel in assigning a lower “threat event frequency” (lower contact / action) and lower “threat capability” in FAIR – instead of unnecessarily raising red flags because of rumors.

]]> http://risktical.com/2008/09/03/risk-and-cvss-post-3/#comment-54 Tomas Olsson Wed, 03 Sep 2008 06:24:34 +0000 http://risktical.wordpress.com/?p=62#comment-54 Hi, I think you have categorized the CVSS metrics quite well so far, but the I am not sure that "Report confidence" fits into your categorization. I have interpreted "Report confidence" as a uncertainty factor about the available information. Maybe this metric is not easily mapped into FAIR terminology? It is kind of a meta-metric telling something about the correctness/uncertainty of the model with respect to the vulnerability. (I was the one originally asking the securitymetrics.org mailinglist about CVSS) Hi, I think you have categorized the CVSS metrics quite well so far, but the I am not sure that “Report confidence” fits into your categorization. I have interpreted “Report confidence” as a uncertainty factor about the available information. Maybe this metric is not easily mapped into FAIR terminology? It is kind of a meta-metric telling something about the correctness/uncertainty of the model with respect to the vulnerability. (I was the one originally asking the securitymetrics.org mailinglist about CVSS)

]]>