Tuesday, May 03, 2005

There's more coming out of the Forum of Incident Response and Security Teams (FIRST) these days now they've updated their Web page! I just read an announcement that the Department of Homeland Security has named FIRST the custodian of the Common Vulnerability Scoring System (CVSS). CVSS is a way to quantify the severity of a vulnerability using three groups: a base metric group, a temporal group, and an environmental group. The sample scoring shows some of the values for recent vulnerabilities.

The definitive documents on CVSS are available on the FIRST CVSS site. I think this system will have some legs, so keep an eye on it. My only concern is that some documents which explain CVSS confuse threats with vulnerabilities -- a common theme on this blog. Consider the following:

"Current scoring systems, in use by the Computer Emergency Response Team/Coordination Center (CERT/CC), Symantec, Internet Security Systems, Cisco Systems, and others, rate vulnerabilities according to a variety of metrics and determine a single overall threat score by weighing these metrics."

They shouldn't say "threat score"; they mean "vulnerability score."

Further in the document we read this:

"Common causes of vulnerabilities are design flaws in software and hardware, botched administrative processes, lack of awareness and education in information security, technological advancements or improvements to current practices, any of which may result in real threats to mission-critical information systems."

Again, there's no threat here. A threat is a party with the capabilities and intentions to exploit a vulnerability. Either "vulnerabilities" or "risks" is more appropriate here.

Another case:

"Potential Threat: These are vulnerabilities that are dependent on the exploitation of other vulnerabilities before they become a risk."

Argh, this is even worse, as it defines a threat as a vulnerability. Wrong again.

"Real-time Attack Scoring: CVSS does not have any capacity for tracking the threats posed by the ongoing exploitation of vulnerabilities."

They probably mean "risks" here.

"A vulnerability that is remotely exploitable is considered to be a higher risk threat than one that is only locally exploitable, since the pool of potential attackers is greater."

Great, all three terms are mixed up here. Delete "threat" from the sentence and it makes more sense.

So what is the document I've been citing? It's the National Infrastructure Advisory Council, in their final recommendations and report on CVSS available in .pdf form here. At the time the report was written, John Chambers (CEO of Cisco) and John Thompson (CEO of Symantec) were in charge. I would expect them to exercise a little more intellectual rigor on the documents their group produces. I have no expectations at all that a report headed by someone like my favorite graduate professor Phil Zelikow would make these sorts of amateur mistakes!

While on the subject of vulnerabilities, it's worth noting the release of the latest SANS Most Critical New Vulnerabilities Discovered or Patched During the First Quarter of 2005. Let's see if they can keep threats and vulnerabilities as distinct ideas:

"However, since new Internet threats are discovered daily, user organizations that rely on the Top20 as a list of high priority threats have been asking for more frequent updates."

I guess not. In both cases they mean vulnerabilities here. Nothing has changed since I last reported on this semantic muddle. Oh well.


Göran said...

Hi Richard, first I'd like to congratulate you on your terrific book, and this blog.

Related to your post, I'm using the risk=threat*vuln*asset - equation in my thesis, with reference to your book. I wonder, is this formula frequently used? I'd like to have some good reference-material, do you know of any?


Richard Bejtlich said...

Hello Goran,

That formula is used a lot. I don't think I cited any sources in my book. I don't really have time to track any down now. I suggest searching for "risk equation" along with the words threat and vulnerability.

Göran said...

Thanks for your response Richard.

I didn't mean for you to go google-hunting for me :) , but I thought you'd might know (by being a military officer and all) government/military sources that explains the formula. I have some good reference that explains the formula (your book for instance). I'll keep digging.. thanks