Re: Vulnebrability level definition

From: Per Niila Albinsson (per@same.net)
Date: Tue Feb 11 2003 - 16:57:27 EST

• Next message: Joseph W. Shaw II: "Re: dsniff-like tool?"
• Previous message: kevin mckay: "linux l0pht"
• Maybe in reply to: Andres Martinez: "Vulnebrability level definition"
• Next in thread: Damir Rajnovic: "Re: Vulnebrability level definition"
• Reply: Damir Rajnovic: "Re: Vulnebrability level definition"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi

Perhaps you could be helped by Vigilantes classification:

---cut starts here---
High Risk
A high risk vulnerability provides direct access to an organization's private
assets, providing the potential for theft, deletion or alteration of those
assets.

Medium Risk
A medium risk vulnerability provides access to an organization's private
assets in combination with one or more other vulnerabilities. By exploiting
multiple medium risk vulnerabilities, an attacker will have the capability
for theft, deletion or alteration of an organization's assets.

VIGILANTe also considers denial-of-service attacks to be medium risk
vulnerabilities.

Low Risk
 A low risk vulnerability does not lead directly to access of an
organization's private assets, but provides a excessive information that
might help an attacker gain unauthorized access.
---cut ends here---

Source: http://www.vigilante.com/securescan/perimeter/sample_report/

I do believe there would also be a need for classification of a vulnerability
could be exploited remotely or/and locally.

There would also be a need for probablity which I do guess is very subjectivem
but do depends of the customers enviroment. The probability for someone
exploiting a vulnerabliity would be large on a public accessible server,
medium for a server on the internal network, and low on a network with no
users.

Best regards,

Per Niila Albinsson

On Tuesday 11 February 2003 17.40, artiman@insightbb.com wrote:
> I need a good definition for the levels of severity related with
> vulnerabilities
> I'm using Very High, High, Mid , Low, Warning
>
> Any documentation, definition or Internet URL will be appreciated
>
> Tks
>
> Andres M
>
>
>
> ---------------------------------------------------------------------------
>- This list is provided by the SecurityFocus Security Intelligence Alert
> (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/

-- 
=====================
Per Niila Albinsson
per@same.net
=====================
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: Joseph W. Shaw II: "Re: dsniff-like tool?"
• Previous message: kevin mckay: "linux l0pht"
• Maybe in reply to: Andres Martinez: "Vulnebrability level definition"
• Next in thread: Damir Rajnovic: "Re: Vulnebrability level definition"
• Reply: Damir Rajnovic: "Re: Vulnebrability level definition"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:27 EDT