From: Rob Shein (shoten@starpower.net)
Date: Wed Feb 12 2003 - 13:33:10 EST
I disagree. The question isn't the severity of the compromise, but rather
the severity of the vulnerability. Many factors come into this, such as the
ease of exploitation and frequency of attempted exploitation. A good
example of a severe bug would be the unicode exploit on IIS; no firewall can
mitigate it (without voiding the point of the web server), anyone with a
browser can exploit it (no need to know offsets or write shellcode, it's the
ultimate script kiddie wet dream), it leads to root compromise very quickly
and everyone and their "kr3w" is looking for servers that are vulnerable to
it. Other examples of severe vulnerabilities might include those exploited
by worms. A lesser vulnerability would be the ability to establish NULL
sessions...if you have to worry about this in an attack from the outside,
you have bigger problems than tuning your IDS. Finally, some
vulnerabilities only incur a risk of DoS, which is usually less severe than
someone busting root on your network.
In risk management, we think in terms of likelihood of occurrence and impact
of event. Certain vulnerabilities are more likely to be exploited than
others, and some are worse than others, so these factors need to be
considered before someone can even begin to try to manage the risks.
> -----Original Message-----
> From: Damir Rajnovic [mailto:gaus@cisco.com]
> Sent: Wednesday, February 12, 2003 5:42 AM
> To: pen-test@securityfocus.com; security-basics@securityfocus.com
> Subject: Re: Vulnebrability level definition
>
>
> At 22:57 11/02/2003 +0100, Per Niila Albinsson wrote:
> >There would also be a need for probablity which I do guess is very
> >subjectivem
> >but do depends of the customers enviroment. The probability
> for someone
> >exploiting a vulnerabliity would be large on a public
> accessible server,
> >medium for a server on the internal network, and low on a
> network with no
> >users.
>
> Amen to this. My personal belief is that one can not say what
> is the severity of a bug. It all depends on how the equipment
> is used. It may not be much about if it is a large network or
> not but if that feature is used. Another question is "What is
> worth of your data?". If some bug will expose something that
> is public anyway then it boils down a nuisance. If it will
> expose your confidential data then it is very serious indeed.
> The vendor can not know how a particular feature will be used
> in a customer's environment. Yes, a vendor may have some idea
> but, is it valid in all cases?
>
> Gaus
> ==============
> Damir Rajnovic <psirt@cisco.com>, PSIRT Incident Manager,
> Cisco Systems
> <http://www.cisco.com/go/psirt> Telephone: +44 7715 546 033
> 200 Longwater Avenue, Green Park, Reading, Berkshire RG2 6GB,
> GB ============== There are no insolvable problems.
> The question is can you accept the solution?
>
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus Security
> Intelligence Alert (SIA) Service. For more information on
> SecurityFocus' SIA service which automatically alerts you to
> the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:28 EDT