RE: mapping vulnerabilities into high medium low risk

From: Robert E. Lee (robert_at_dyadsecurity.com)
Date: 09/17/03

  • Next message: Shackleford, Dave: "RE: mapping vulnerabilities into high medium low risk" 
    Date: Wed, 17 Sep 2003 09:38:51 -0700
To: "pen-test@securityfocus.com" <pen-test@securityfocus.com>

    > Anyone know any open source methodology about categorizing
    > vulnerabilities? When doing a Pent Test, I need to categorize a
    particular
    > vulnerability into high medium or low risk. These vulnerabilities may
    be a
    > web application vulnerability or may be a new system vuln that has yet
    to
    > be discovered. So is there any open source methodology that give you a
    > guide to how to categorize the vuln?
     
    High/medium/low risk definitions in the documentation after a pen-test
    tend to be subjective and change depending on the individual client.   A
    way to classify vulnerabilities in a High/Medium/Low format is to first
    understand the information criticality to the organization you are
    testing, and then create consistent definitions that include time and
    financial loss components. The definitions provide the context to
    understand why it is a High/Medium/Low problem for that organization.
     
    Through an Open Source initiative (OSSTMM), ISECOM has been working on
    an alternative way of representing the level of risk to the organization
    based on what was tested and the time context of when it was tested. 
    This is a partial paste of what we’ve come up with so far.  Any/all
    feedback & assistance in improving upon this base is greatly
    appreciated.
     
    Risk Assessment Values
    Integrated with each OSSTMM module are Risk Assessment Values (RAVs)
    which are defined as the degradation of security (or escalation of risk)
    over a specific life cycle based on best practices for periodic testing.
    The association of risk levels with cycles has proven to be an effective
    procedure for security metrics.
     
    The concepts of security metrics in this manual are to:
          ••Establish a standard time cycle for testing and retesting
            ••Maintain a measurable level of risk based on the degradation
    of
            security (escalation of risk) which occurs naturally, with time
          ••The ability to measure risk with consistency and detail both
    before
            and after testing.
     
    Unlike conventional risk management, the RAVs operate purely on the
    application of security within an organization. They take into
    consideration the controls such as the processes, politics, and
    procedures by operating in parallel with the testing methodology. While
    the testing methodology does examine these controls sometimes in an
    indirect nature, the actual controls do not interest the tester rather
    it is the application of these controls that determine the results of a
    security test. A well written policy which is not followed will have no
    effect on actual security.
     
    RAVs are determined mathematically by the following factors:
    1. The degrees of degradation of each separate module from point of
    optimum health measured from a theoretical maximum of 100% for risk
    management purposes,
     
    2. The cycle which determines the maximum length of time it takes for
    the degradation to degrade its full percentage value (degradation) based
    on security best practices and consensus,
     
    3. The influence of other modules performed or not performed,
     
    4. Weights established by the Security Dimensions,
     
    5. The type of risk as designated by the OSSTMM Risk Types and whether
    the risk has been:
          a. Identified but not investigated or investigation provided
    varied
            and unclear results,
          b. Verified as in clearly positive or exploitable, or,
            c. Not applicable in that it does not exist because the
    infrastructure
            or that security mechanism does not exist.
     
    Risk Types
    Whereas the risk types appear to be subjective, the classification of
    risks to the following types is in actuality mostly objective when
    following the framework of the OSSTMM. Future versions will assure this
    is CVE compatible.
     
    Vulnerability
    A flaw inherent in the security mechanism itself or which can be reached
    through security safeguards that allows for privileged access to the
    location, people, business processes, and people or remote access to
    business processes, people, infrastructure, and/or corruption or
    deletion of data.
     
    A vulnerability may be a metal in a gate which becomes brittle below 0º
    C, a thumbprint reader which will grant access with rubber fingers, an
    infrared device that has no authentication mechanism to make
    configuration changes, or a translation error in a web server which
    allows for the identification of a bank account holder through an
    account number.
     
    Weakness
    A flaw inherent in the platform or environment of which a security
    mechanism resides in, a misconfiguration, survivability fault, usability
    fault, or failure to meet the requirements of the Security Posture. A
    weakness may be a process which does not save transaction data for the
    legal time limit as established by regional laws, a door alarm which
    does not sound if the door is left open for a given amount of time, a
    firewall which returns ICMP host unreachable messages for internal
    network systems, a database server that allows unfiltered queries, or an
    unlocked, unmonitored entrance into a otherwise secured building.
     
    Information Leak
    A flaw inherent in the security mechanism itself or which can be reached
    through security safeguards which allow for privileged access to
    privileged or sensitive information concerning data, business processes,
    people, or infrastructure. An information leak may be a lock with the
    combination available through audible signs of change within the lock’s
    mechanisms, a router providing SNMP information about the target
    network, a spread*** of executive salaries for a private company, the
    private mobile telephone number of the marketing staff, or a website
    with the next review date of an organization’s elevators.
     
    Concern
    A security issue which may result from not following best practices
    however does not yet currently exist as a danger. A concern may be
    FINGERD running on a server for an organization that has no business
    need for the FINGER service, a guarded doorway which requires the
    watchman to leave the door to apprehend a trespasser with no new guard
    to replace the one who left and maintain a presence at the door, or
    employees who sit with their monitors and whiteboards viewable from
    outside the perimeter security.
     
    Unknowns
    An unidentifiable or unknown element in the security mechanism itself or
    which can be reached through security safeguards that currently has no
    known impact on security as it tends to make no sense or serve any
    purpose with the limited information the tester has.
     
    An unknown may be an unexpected response possibly from a router in a
    network that is repeatable and may indicate network problems, an
    unnatural radio frequency emanating from an area within the secure
    perimeter however offers no identification or information, or a
    spread*** which contains private data about a competing company.
     
    Hope this helps,
     
    Robert

    Robert E. Lee
    CTO
     
    3400 Irvine Ave, Building 118
    Newport Beach, Ca 92660
    T (949) 486-6600
    F (949) 486-6001
    robert@dyadsecurity.com

    ---------------------------------------------------------------------------
    FREE Trial!
    New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL
    and PROFESSIONAL TL software. Fast, reliable vulnerability assessment
    technology powered by the award-winning FoundScan engine. Try it free for 21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
    ----------------------------------------------------------------------------

  • Next message: Shackleford, Dave: "RE: mapping vulnerabilities into high medium low risk"
    • Quantcast