[Dailydave] smaller errors eroding situational awareness.
Christian Heinrich
christian.heinrich at cmlh.id.au
Tue Aug 20 20:12:34 EDT 2013
Anton,
The core issue here is related to compliance, not security.
For instance, PCI DSS v2.0 Requirement 6.2 mandated that a "High" Risk
vulnerability .. *may* include a CVSS base score of 4.0 or above, ..."
[emphasis added].
Therefore, the likelihood of an unschedule outage from implementing a
patch and/or workaround for a low or medium severity is outweighed by
their risk appetite (i.e. lack of maturity within the culture of the
end user to support the processes related to the implementation of
workarounds and/or patching of vulnerabilities of low and medium
severity).
Hence, the end user's definition of a "high" risk vulnerability can be
reclassified as a much higher CVSSv2 Base Score than 4.0 because PCI
DSS permits this.
On Sat, Aug 17, 2013 at 6:32 AM, Anton Chuvakin <anton at chuvakin.org> wrote:
>> of prioritization for vulnerabilities. I've seen to many organizaitons
>> debate a CVSS score with our support team so they can get it moved off
>> of their mandate to patch everything with a CVSS score of X or higher.
>
> This, BTW, is NOT a joke :-) In essence, many of these organization
> will likely NOT learn any lessons from the directory traverse ownage,
> apart from "NVD can be wrong." If they can fix/patch 500
> vulns/month, but their VA tool shows them 1000 Hs, 5000 Ms and
> infinity of Ls a week, their patching strategy won't suddenly change
> to "fix all Hs, Ms and Ls." Exploitability may help them a bit, but I
> doubt it will "solve the problem." After all, the Low severity vuln
> of "system responds to pings" is ...ahemmm.. exploitable as you can
> actually send the damn ping :-)
--
Regards,
Christian Heinrich
http://cmlh.id.au/contact
More information about the Dailydave
mailing list