Get your priorities right

Over the years, I've seen and used a wide range of methods to evaluate and explain the risks associated with a particular security threat or vulnerability.

Depending on the audience and environment evaluated, there will always be a frequent need to reclassify the severity of a finding. It is particularly relevant when making use of findings derived from automated security tools.

A pet hate I've always had relates to consultants who insist upon producing client reports by mindlessly copying tool-discovered vulnerability information without any reflection upon the environmental context of the security assessment. By failing to incorporate this information in their analysis, they can cause confusion and might even weaken an organisation's security when the client diverts valuable resources to address incorrectly prioritised risks.

The output of these automated tools, while often providing extremely detailed information about each and every vulnerability uncovered, should only be used as a guide for remediation, not for prioritisation. Even though the descriptions invariably include a "risk" value, it is made without any contextual understanding and really only represents the impact of exploitation.

This tool-based "risk" value, while not necessarily accurate enough for prioritisation, still forms a solid basis for understanding the significance of a security finding, assuming it comes from a reliable source.

The source caveat is important. Each assessment tool will enumerate a vulnerability's risk differently, depending on the original source of the information, the research that went into its evaluation, and the ranking system (three-tier: high, medium, low; four-tier: critical, high, medium, low).

If one tool evaluates the risk of a vulnerability as high in a three-tier ranking system, while another evaluates the same vulnerability as critical based upon their four-tier system, is it high or critical?

The same confusion arises with the original vulnerability advisories. It is not uncommon for the first discoverer of a vulnerability to rank its risk higher than that claimed on the affected vendor's advisory publication.

All this could soon change. There is growing momentum behind the adoption of a new, more consistent vulnerability scoring mechanism – the Common Vulnerability Scoring System (CVSS).

CVSS is a framework that is designed to be used by vendors, consultants and clients alike to calculate a composite score for a vulnerability based upon severity and risk. Using 12 evaluation metrics split into three groups, CVSS should provide a consistent platform for calculation and incorporates both temporal and environmental data to arrive at a score.

Once security tools support CVSS, we should see a change in the way in which organisations manage vulnerability prioritisation and remediation. Vulnerability assessment tools will then be able to provide the seven metrics that make up the base group score – this includes static information such as access complexity and vectors, authentication requirements and traditional risk management confidentiality, integrity and availability (CIA) impact values.

Temporal data, such as whether exploit material or proof-of-concept code is loose and whether vendor patches or work-around processes are available, is used to formulate the Temporal Metric Group. This factors events that might affect the urgency of the threat posed by the vulnerability, and this information in turn will need to be supplied by trusted vulnerability research teams and evaluated almost daily to accurately reflect the threat.

Environmental, the last metric group, must be evaluated in the context of each organisation, as it factors in collateral damage potential and target distribution.

While it is likely that CVSS will increase the effort required to evaluate a threat, if used properly, clients will benefit from more accurate assessments and remediation prioritisation.

As for those lazy consultants who insist on copy-pasting risk values, they are either going to have to change their business practices or their occupation.

Gunter Ollmann is director of X-Force, Internet Security Systems