RE: Intrusion Risk Assessment

From: Robert Buckley (rbuckley@synapsemail.com)
Date: 01/07/03

  • Next message: Joseph M Hoffman: "RE: IDS Common Criteria"
    From: Robert Buckley <rbuckley@synapsemail.com>
    To: 'Rob Shein' <shoten@starpower.net>, Robert_Huber@bankone.com, focus-ids@securityfocus.com
    Date: Tue, 7 Jan 2003 12:32:20 -0500 
    
    

    Many people like to use this equation:

    Scale from -10 through +10
    (lethality + criticality) - (net_defense + host_defense) = attack success
    rate
    where lethality is the level of compromise the attack offers
    criticality defines the systems purpose, is it a core device or someone's
    workstation etc.
    net + host defense are self explanatory.

    I.e.
    Core Cisco router being attacked on the http port (There is a well known
    vulnerability here)
    (5 + 5) - ( 0 + 0 ) = 10
    The probability of a successful attack is 10.
    It was a lethal attack, on a core device, where I had no net defense, nor
    any host defense.
    Let change the view...

    (5 + 5) - (5 + 5) = 0
    The probability of a successful attack is 0.
    It was a lethal attack, on a core device, but I have acl's denying port 80
    to this device, and
    the host doesn't run http services at all.

    One more example:
    netbios name mangling attack against a workstation
    (2 + 1) - (0 + 5) = -2
    lethality is a denial of service, criticality is low because its a
    workstation
    I have no net defense but up to date on the patch that prevents the attack.
    The probability of success on this attack is -2

    Of course, its up to the individual to put values on the parameters, so one
    analyst may have a
    different result than the next.

    Hope this helps you.
    rb.

    -----Original Message-----
    From: Rob Shein [mailto:shoten@starpower.net]
    Sent: Monday, January 06, 2003 7:36 PM
    To: Robert_Huber@bankone.com; focus-ids@securityfocus.com
    Subject: RE: Intrusion Risk Assessment

    The problem with this is, define "damage." IDS systems are not aware of
    the nature of what they defend. An IIS exploit might be utterly useless
    against an apache web server, but the IDS is not intrinically aware of
    which servers are apache and which are IIS. Add to that the fact that
    such severity levels as "minor damage" or "minimal access to recover,"
    are dependent upon the information stored on a machine (which no current
    IDS could ever be cognizant of) as well as the role of that machine.

    > -----Original Message-----
    > From: Robert_Huber@bankone.com [mailto:Robert_Huber@bankone.com]
    > Sent: Monday, January 06, 2003 12:54 PM
    > To: focus-ids@securityfocus.com
    > Subject: Intrusion Risk Assessment
    >
    >
    > Anyone know of any IDS risk assessment matrixes out there?
    > I'm looking for something like the following:
    >
    > Rating Severity
    > 1 No Damage a. Not possible to exploit (or)
    > b. No damage (or)
    > c. Hoax
    >
    > 2 Harassment a. Possible damage,
    > unconfirmed (or)
    > b. Temporarily shuts down
    > services and/or temporarily prevents access to information
    >
    > 3 Minor Damage a. Short-term impact (or)
    > b. Exploit allows access
    > to view files (or)
    > c. Minimal effort required
    > to recover
    >
    > 4 Moderate Damage a. The exploit is easy to
    > perform (or)
    > b. Important systems can
    > be effected with administrative compromise (or)
    > c. Exploit allows full
    > access to files (or)
    > d. Long-term effects,
    > significant effort may be required to recover
    >
    > 5 Heavy Damage a. The exploit is easy to
    > perform (and)
    > b. An exploit will cause
    > severe damage to multiple computers (and/or)
    > c. Requires reinstallation
    > or recovery from backup
    >
    >
    > Robert Huber
    > Bank One Information Security
    > Phone: 302-282-2234
    > Pager: 888-646-3502
    >
    >
    >
    > **********************************************************************
    > This transmission may contain information that is privileged,
    > confidential and/or exempt from disclosure under applicable
    > law. If you are not the intended recipient, you are hereby
    > notified that any disclosure, copying, distribution, or use
    > of the information contained herein (including any reliance
    > thereon) is STRICTLY PROHIBITED. If you received this
    > transmission in error, please immediately contact the sender
    > and destroy the material in its entirety, whether in
    > electronic or hard copy format. Thank you
    > **********************************************************************
    >



    Relevant Pages

    • Re: WEP: 64 bit or 128 bit?
      ... >> recover an arbitrarily long key in a negligible amount of time ... the number of packets required is essentially independent ... > packet capture to attack the next key byte, and so he doesn't need to ... in a negligible amount of time which grows only linearly with its size, ...
      (sci.crypt)
    • Re: code breaking tools
      ... It's called cryptanalysis, and there is no royal road to it. ... and assume that no better attack is known ... see that it is easy for the enemy to recover all blocks i> 1. ... recover kand of course that constitutes in a complete break. ...
      (sci.crypt)
    • Re: RSA and Number Theory
      ... > iteration, ... > recover the plaintext. ... Such attacks were considered when RSA was first published. ... attack may apply here, though it is not guaranteed to succeed. ...
      (sci.crypt)
    • Re: Forrys still alive. Re: Forrest Ackerman
      ... attack on Nov 3 and was not expected to recover. ... Sorry about all the trouble. ... I figured Locus was a reliable source, ...
      (rec.music.filk)