User Tools

Site Tools


riskanalysis

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Last revision Both sides next revision
riskanalysis [2017/10/24 15:23]
lallodi [Vulnerability remediation]
riskanalysis [2017/10/24 15:23]
lallodi [Vulnerability remediation]
Line 11: Line 11:
   - introduce new vulnerabilities.   - introduce new vulnerabilities.
  
-The IT response to that is, in general: “any severe-enough vulnerability must be fixed”. The industry standard to measure vulnerability severity is the Common Vulnerability Scoring System (CVSS) by NIST, but this is known to be uncorrelated with actual exploits [[http://​www.win.tue.nl/​~lallodi/​allodi-tissec-14.pdf|(Allodi TISSEC 2014)]]. The Figure on the side {{ :​imgs:​riskanalysis:​vulnvens.png?​nolink&​280|}} depicts a Venn Diagram distribution of vulnerabilities (NVD), vulnerabilities with a Proof-of-Concept exploit (EDB), vulnerabilities in the black markets (EKITS), and vulnerabilities exploited at scale (SYM). Areas are proportional to number of vulnerabilities,​ and color mappings match High (red), Medium (yellow), Low (blue) CVSS severities [[http://​nvd.nist.gov|(NVD)]]. As one can see, CVSS severities do not appear to be good predictors for probability of inclusion in SYM, an insight that remains valid also after more formally controlling for possible  +The IT response to that is, in general: “any severe-enough vulnerability must be fixed”. The industry standard to measure vulnerability severity is the Common Vulnerability Scoring System (CVSS) by NIST, but this is known to be uncorrelated with actual exploits [[http://​www.win.tue.nl/​~lallodi/​allodi-tissec-14.pdf|(Allodi ​et al. TISSEC 2014)]]. The Figure on the side {{ :​imgs:​riskanalysis:​vulnvens.png?​nolink&​280|}} depicts a Venn Diagram distribution of vulnerabilities (NVD), vulnerabilities with a Proof-of-Concept exploit (EDB), vulnerabilities in the black markets (EKITS), and vulnerabilities exploited at scale (SYM). Areas are proportional to number of vulnerabilities,​ and color mappings match High (red), Medium (yellow), Low (blue) CVSS severities [[http://​nvd.nist.gov|(NVD)]]. As one can see, CVSS severities do not appear to be good predictors for probability of inclusion in SYM, an insight that remains valid also after more formally controlling for possible  
-confounding factors [[http://​www.win.tue.nl/​~lallodi/​allodi-tissec-14.pdf|(Allodi TISSEC 2014)]].+confounding factors [[http://​www.win.tue.nl/​~lallodi/​allodi-tissec-14.pdf|(Allodi ​et al. TISSEC 2014)]].
  
 This led to poor vulnerability management practices whereby vulnerability patching work is overwhelmed by the huge number of patches to install, that cannot however be straightforwardly applied because of the concerns outlined above. ​ This led to poor vulnerability management practices whereby vulnerability patching work is overwhelmed by the huge number of patches to install, that cannot however be straightforwardly applied because of the concerns outlined above. ​
riskanalysis.txt · Last modified: 2017/10/24 15:24 by lallodi