nCircle.com >> 360 Security

« Non-Repudiation Killed The Worm Star | Main | SCADAGard SIG To Be Established »

Vulnerability Scoring (Part II): Remembering your Audience

NIAC presented their previously described new vulnerability scoring system at RSA today. I wasn't in the room myself, but have heard a couple of first-hand accounts so far - also, I had seen one of the earlier NIAC drafts.

The scoring system definitely has a couple of good points - they made the good choice of differentiating authenticated and un-authenticated vulnerabilities as well as the acknowledgement of different attack vectors as a key point of severity. They also made many of the same choices we made 5 years ago: being aware of the complexity of the attack as an important factor, being aware of depth of access as the fundamental component of risk, and so on.

However, I believe that they made a fundamental error when it comes to the temporal component of their metric: they forgot the audience. The temporal component of the new scoring system works to reduce the score from day #1 until day #n - that is, the vulnerability gets less severe as time marches forward.

This is true in a very global sense: as the enterprises patch vulnerabilities, they become less severe. Thus, the vulnerability (from a global perspective) becomes less wide-spread.

However, this metric isn't designed to talk about the global severity of the vulnerability - it's designed to assist end-users in their decisions on how to patch. Because of this, the thinking above is absolutely backwards.

While a vulnerability may be globally less severe with time because the number of instances grows fewer, the number of available tools and exploit vectors continues to grow (albeit at a slower rate) with each additional day that the vulnerability is publically accessible. This should be obvious to anyone who has ever done a penetration test: the brand new Solaris vulnerability is less likely to have an exploit than the 4-year old Solaris RPC vulnerability. I always loved it when I found a box that was unpatched to older exploits - it made my life easier.

Just like it makes the life of any attacker easier.

This metric (much as our scoring system) is designed to prioritize patching - as I see it, the vulnerabilities that make it easier for an attacker to compromise YOUR network are the ones that have the highest priority, regardless of their global significance.

That will always be the oldest, best known ones.

Because of that, the new CVSS (Common Vulnerability Scoring System) is doomed to fail to actually do what it's supposed to do best - allow customers to protect their networks from attackers.

Posted on February 17, 2005 8:00 PM |

Comments (1)

Tim Erlin:

The most clear evidence of this flaw is that the longer one waits to patch their vulnerabilities, the greater their overall risk improves.

I'm hard pressed to think of a scenario in which failure to patch should result in decreased risk.

Posted by Tim Erlin | February 18, 2005 7:16 AM

Posted on February 18, 2005 07:16

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search


About

This page contains a single entry from the blog posted on February 17, 2005 8:00 PM.

The previous post in this blog was Non-Repudiation Killed The Worm Star.

The next post in this blog is SCADAGard SIG To Be Established.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]