[Dailydave] smaller errors eroding situational awareness.

Ron Gula rgula at tenable.com
Fri Aug 16 15:36:08 EDT 2013


Examples like this are why I push the "exploitability" field as a form
of prioritization for vulnerabilities. I've seen to many organizaitons
debate a CVSS score with our support team so they can get it moved off
of their mandate to patch everything with a CVSS score of X or higher.

Ron 

On 8/16/13 2:38 PM, "Dave Aitel" <dave at immunityinc.com> wrote:

>Related Twitter threads here:
>https://twitter.com/carnal0wnage/status/367734642213801985
>https://twitter.com/SelsRoger/status/367751020442832897
>
>One thing you should pay attention to, as someone who works in IT
>security is how the various assumptions change over time. It used to be
>that managing your network security was how well you used a few simple
>product types. Essentially we had network sniffers and network scanners
>of various sorts, along with the signature-based AVs. Most enterprises
>remember having tons of network sniffer monkeys looking at logs and
>sniffer alerts and then trying to use that to generate some level of
>activity. But that turns out to be mindbogglingly expensive, and
>ineffective as we have all learned the hard way.
>
>This then changed into how well you integrate and analyze information
>from these tools. The SIEM was born. The downside being that sorting
>through massive amounts of noise to find tiny signals is by definition
>expensive, no matter how good your tool is.
>
>This is also true on the assessment side - small errors can add up to
>cloud your situational awareness. For example, in the below referenced
>Twitter stream you can see a penetration tester scanning a network using
>a vulnerability assessment tool, which then marks a potential ColdFusion
>bug as "medium". Part of this is because the National Vulnerability
>Database marked it as having a CVSS score of 7.5, despite it being a
>remote, unauthenticated, SYSTEM-level vulnerability.
>
>That said, if all you had was the Vulnerability Assessment data, you
>would probably relegate fixing this weakness to "when I get around to
>it", which would explain all the nicely vulnerable ColdFusion boxes on
>the Interwebs. 
>
>So my conclusion here is that despite all thoughts to the contrary, CVSS,
>the NVD, and hence vulnerability risk rankings, do, in fact matter.
>
>-dave
>
>As a post-script, Nessus has updated their score on this particular
>vulnerability. I emailed the NVD about it too.
>
>
>



More information about the Dailydave mailing list