[Dailydave] smaller errors eroding situational awareness.

Christey, Steven M. coley at mitre.org
Fri Aug 16 18:59:51 EDT 2013


CVSS and, IMNSHO, the industry as a whole are not yet prepared to accurately score "vulnerability chains" that involve multiple lower-severity vulnerabilities that can be combined in a way that makes a more severe attack possible.   Schneier's original attack tree vision is coming true, but we don't know what to do with it.  CVSS version 2 documentation explicitly instructs people to score a vulnerability in isolation, and that recommendation is partially my fault (in my defense, it was about a decade ago, and at the time I did not realize that as in the "circle of life" of The Lion King movie, there is also the Circle of Technical Impacts which implies that everything *could* lead to a 10.0, which is not particularly helpful for risk assessment.  I leave it up to Dave to make this all about Buffy.)

Jericho and I touched on this challenge a little bit when we said that "Vulns are gonna get weirder" in our Black Hat presentation on why vulnerability statistics suck (slide 79), plus there is the general theme of CVSS's limitations for risk assessment by various presenters in the past year or two.  Unfortunately, the number of people who complain about CVSSv2 is exponentially smaller than the number of people who are actively contributing to the development of CVSSv3 which is ongoing, but I digress into uncomfortable observations.

i.e.: combinations of multiple "issues," independent of their severity when evaluated in isolation, will likely become more prominent over the years (look at Pwn2Own as an example).

To whoever solves or attempts to solve this problem: you probably won't get any love in terms of press attention, but from the defense perspective, it's kind of critical in the coming years/decades to figure out how to assign a single risk score to vulnerability/attack chains, or otherwise combine them in a way that allows decision-makers to... ummmm... make well-informed decisions.

- Steve Christey (CVSSv2 apologist 4eva)


>-----Original Message-----
>From: dailydave-bounces at lists.immunityinc.com [mailto:dailydave-
>bounces at lists.immunityinc.com] On Behalf Of Dave Aitel
>Sent: Friday, August 16, 2013 2:38 PM
>To: dailydave at lists.immunityinc.com
>Subject: [Dailydave] smaller errors eroding situational awareness.
>
>Related Twitter threads here:
>https://twitter.com/carnal0wnage/status/367734642213801985
>https://twitter.com/SelsRoger/status/367751020442832897
>
>One thing you should pay attention to, as someone who works in IT security is
>how the various assumptions change over time. It used to be that managing
>your network security was how well you used a few simple product types.
>Essentially we had network sniffers and network scanners of various sorts,
>along with the signature-based AVs. Most enterprises remember having tons
>of network sniffer monkeys looking at logs and sniffer alerts and then trying to
>use that to generate some level of activity. But that turns out to be
>mindbogglingly expensive, and ineffective as we have all learned the hard
>way.
>
>This then changed into how well you integrate and analyze information from
>these tools. The SIEM was born. The downside being that sorting through
>massive amounts of noise to find tiny signals is by definition expensive, no
>matter how good your tool is.
>
>This is also true on the assessment side - small errors can add up to cloud your
>situational awareness. For example, in the below referenced Twitter stream
>you can see a penetration tester scanning a network using a vulnerability
>assessment tool, which then marks a potential ColdFusion bug as "medium".
>Part of this is because the National Vulnerability Database marked it as having
>a CVSS score of 7.5, despite it being a remote, unauthenticated, SYSTEM-level
>vulnerability.
>
>That said, if all you had was the Vulnerability Assessment data, you would
>probably relegate fixing this weakness to "when I get around to it", which
>would explain all the nicely vulnerable ColdFusion boxes on the Interwebs.
>
>So my conclusion here is that despite all thoughts to the contrary, CVSS, the
>NVD, and hence vulnerability risk rankings, do, in fact matter.
>
>-dave
>
>As a post-script, Nessus has updated their score on this particular vulnerability.
>I emailed the NVD about it too.
>
>



More information about the Dailydave mailing list