riskanalysis
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
riskanalysis [2017/10/24 12:56] – [Vulnerability remediation] lallodi | riskanalysis [2021/01/10 21:04] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 11: | Line 11: | ||
- introduce new vulnerabilities. | - introduce new vulnerabilities. | ||
- | The IT response to that is, in general: “any severe-enough vulnerability must be fixed”. The industry standard to measure vulnerability severity is the Common Vulnerability Scoring System (CVSS) by NIST, but this is known to be uncorrelated with actual exploits [[http:// | + | The IT response to that is, in general: “any severe-enough vulnerability must be fixed”. The industry standard to measure vulnerability severity is the Common Vulnerability Scoring System (CVSS) by NIST, but this is known to be uncorrelated with actual exploits [[http:// |
- | confounding factors [[http:// | + | confounding factors [[http:// |
This led to poor vulnerability management practices whereby vulnerability patching work is overwhelmed by the huge number of patches to install, that cannot however be straightforwardly applied because of the concerns outlined above. | This led to poor vulnerability management practices whereby vulnerability patching work is overwhelmed by the huge number of patches to install, that cannot however be straightforwardly applied because of the concerns outlined above. | ||
Line 25: | Line 25: | ||
Cyber-attacks can be roughly classified in two categories: | Cyber-attacks can be roughly classified in two categories: | ||
- | - **Targeted cyber-attacks**: | + | - **Targeted cyber-attacks**: |
- **Untargeted cyber-attacks**: | - **Untargeted cyber-attacks**: | ||
riskanalysis.1508842619.txt.gz · Last modified: 2021/01/10 20:59 (external edit)