common vulnerability scoring system
play

Common Vulnerability Scoring System Engineering Secure Software - PowerPoint PPT Presentation

Dec 02, 2022 •189 likes •541 views

Common Vulnerability Scoring System Engineering Secure Software Last Revised: November 13, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 How Bad is Bad? Weve seen many vulnerabilities Many of them can do catastrophic

  1. Common Vulnerability Scoring System Engineering Secure Software Last Revised: November 13, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1

  2. How Bad is Bad? We’ve seen many vulnerabilities ● Many of them can do catastrophic things ○ Danger really depends on the situation ○ Many, many situational factors, such as: ● Asset exposed (and its relative importance) ○ Remotely or locally exploitable? ○ Expertise needed to exploit the vulnerability? ○ Affects all deployments? ○ Impact on CIA properties? ○ How good is the reporting as of now? ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 2

  3. CVSS Common Vulnerability Scoring System ● Adopted by NIST (National Institute of Standards & Technology) ○ Required for reporting a vulnerability in CVE ○ Note: we are studying v3, most of the world still uses v2 ○ An open scoring system from FIRST ● FIRST: Forum for Incident Response & Security Teams ○ Group of researchers and practitioners ○ Three metric groups ● Base: no changes over time or environment ○ Environmental: might vary in different deployments ○ Temporal: might change over time ○ Essentially a weighted average ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 3

  4. CVSS: Base Metric Group Exploitability metrics: ● Base Metric Group characteristics of the thing Exploitability Impact Metrics Metrics that is vulnerable AV: Attack Confidentiality Vector Impact Impact metrics: represent ● the consequence to the AC: Attack Integrity Complexity Impact thing that suffers the impact PR: Privileges Availability Required Impact Exploit(AV, AC, PR, UI), ● UI: User Interaction Impact(C, I, A), S Scope SWEN-331: Engineering Secure Software Benjamin S Meyers 4

  5. Base: Attack Vector (AV) Regarding networking, what are the methods of exploiting? ● Metric values: ● (P) Physical ○ (L) Local Only ○ (A) Adjacent Network (e.g. wifi, local IP subnet) ○ (N) Network (fully remotely exploitable) ○ Assumption: ● The more remote the AV, the more likely it is to be exploited ○ Examples: ● Client that opens stuff from an untrusted internet source? Go ○ with (N) Network (e.g. zip utility with a buffer overflow) SWEN-331: Engineering Secure Software Benjamin S Meyers 5

  6. Base: Attack Vector (AV) Examples: ● Client that opens stuff from an untrusted internet source? Go ○ with (N) Network (e.g. zip utility with a buffer overflow) XSS in a web application? ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 6

  7. Base: Attack Vector (AV) Examples: ● Client that opens stuff from an untrusted internet source? Go ○ with (N) Network (e.g. zip utility with a buffer overflow) XSS in a web application? (N) Network ○ ARP Spoofing? ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 7

  8. Base: Attack Vector (AV) Examples: ● Client that opens stuff from an untrusted internet source? Go ○ with (N) Network (e.g. zip utility with a buffer overflow) XSS in a web application? (N) Network ○ ARP Spoofing? (A) Adjacent Network ○ Side-channel attacks? ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 8

  9. Base: Attack Vector (AV) Examples: ● Client that opens stuff from an untrusted internet source? Go ○ with (N) Network (e.g. zip utility with a buffer overflow) XSS in a web application? (N) Network ○ ARP Spoofing? (A) Adjacent Network ○ Side-channel attacks? (L) Local ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 9

  10. Base: Attack Complexity (AC) How complex would the exploit be? ● One step? (e.g. buffer overflow) ○ Multiple steps? (e.g. convince an email user to download a ○ malicious attachment) Metric values: ● (H) High: specialized access conditions ○ e.g. overcoming advanced exploit mitigation techniques ■ e.g. man-in-the-middle attack ■ (L) Low: no specialized conditions ○ e.g. default configuration ■ e.g. requires little skill to perform ■ (L) → higher metric score, (H) → lower metric score ● SWEN-331: Engineering Secure Software Benjamin S Meyers 10 10

  11. Base: Privileges Required (PR) Level of privileges needed for exploit? ● Metric values: ● (H): privileges that provide significant control (e.g. admin) ○ (L): privileges that provide basic user capabilities ○ (N): no authorization needed ○ The fewer privileges necessary, the higher the metric score ● Examples: ● In an authentication system (e.g. Kerberos) itself? (N) None ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 11 11

  12. Base: Privileges Required (PR) Examples: ● In an authentication system (e.g. Kerberos) itself? (N) None ○ Path traversal in photo upload for Twitter client? ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 12 12

  13. Base: Privileges Required (PR) Examples: ● In an authentication system (e.g. Kerberos) itself? (N) None ○ Path traversal in photo upload for Twitter client? (L) Low ○ Insecure PRNG for session ID’s? ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 13 13

  14. Base: Privileges Required (PR) Examples: ● In an authentication system (e.g. Kerberos) itself? (N) None ○ Path traversal in photo upload for Twitter client? (L) Low ○ Insecure PRNG for session ID’s? (N) None ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 14 14

  15. Base: User Interaction (UI) A user, other than the attacker, participates in the exploit ● Metric values: ● (N): can be exploited without interaction from any user ○ (R): requires a user to take action(s) ○ e.g. exploit may only be possible during the installation of an ■ application by a system administrator Examples: ● Reflected XSS? (R) -- user must click on a link ○ CSRF? (R) -- need a victim to forge the HTTP request and be ○ logged in The less user interaction required, the higher the metric score ● SWEN-331: Engineering Secure Software Benjamin S Meyers 15 15

  16. Base: Scope (S) The ability for a vulnerability in one software component to ● impact resources beyond its means or privileges Metric values: ● (U)Unchanged: the vulnerable component and the impacted ○ component are the same (C) Changed: the vulnerable component and the impacted ○ component are different Examples: ● Vulnerability in Linux VM that compromises host OS? (C) ○ Sandbox violations? (C) ○ Scoped changed → higher metric score ● SWEN-331: Engineering Secure Software Benjamin S Meyers 16 16

  17. Base: CIA Impact Any impact on C onfidentiality, I ntegrity, or A vailability? ● These are separate metrics ○ Metric values (for each C, I, and A): ● (N) None ○ (L) Low ○ (H) High ○ CIA of the system , not the user ● Examples: ● Disclosing a few database tables? C=Low, I=None, A=None ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 17 17

  18. Base: CIA Impact Examples: ● Disclosing a few database tables? C=Low, I=None, A=None ○ Temporary DoS? ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 18 18

  19. Base: CIA Impact Examples: ● Disclosing a few database tables? C=Low, I=None, A=None ○ Temporary DoS? C=None, I=None, A=Low ○ Reading arbitrary memory locations? ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 19 19

  20. Base: CIA Impact Examples: ● Disclosing a few database tables? C=Low, I=None, A=None ○ Temporary DoS? C=None, I=None, A=Low ○ Reading arbitrary memory locations? C=High, I=None, A=None ○ Full bypass of plugin sandbox? ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 20 20

  21. Base: CIA Impact Examples: ● Disclosing a few database tables? C=Low, I=None, A=None ○ Temporary DoS? C=None, I=None, A=Low ○ Reading arbitrary memory locations? C=High, I=None, A=None ○ Full bypass of plugin sandbox? C=?, I=High, A=None ○ Root-level access? C=I=A=High ○ Hardcoded root credentials in blog software? C=I=A=High ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 21 21

  22. CVSS: Environmental Metric Group Modified base metrics ● Loss of life, physical assets, productivity ○ Levels: None, Low, Medium, High, Not Defined ○ Security Requirements (CR, IR, AR) ● Levels: ○ (X) Not Defined: it will not influence the score ■ (H) High: a catastrophic adverse effect ■ (M) Medium: a serious adverse effect ■ (L) Low: a limited adverse effect ■ SWEN-331: Engineering Secure Software Benjamin S Meyers 22 22

  23. CVSS: Temporal Exploitability (E) Is there a public exploit known? ● Metric values: ● (U) Unproven: entirely theoretical exploit ○ (POC): Proof of Concept exists, no known malicious exploits ○ (F): Functional exploit is available ○ (H): Functional exploit is widely disseminated ○ (X) Not Defined (skip this part of the metric) ○ Notes: ● Being temporal, this could change quickly ○ Many white hats will write exploits to make this score go up, so ○ that it gets fixed SWEN-331: Engineering Secure Software Benjamin S Meyers 23 23

Recommend

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a cybersecurity flaw in a system that leave it open to attack. A vulnerability may also refer to any type of weakness in a computer system

407 views • 16 slides
II APPENDIX II FINAL PRESENTATION SCORING RUBRIC TEACHER for grades 9-12; Common Core State

II APPENDIX II FINAL PRESENTATION SCORING RUBRIC TEACHER for grades 9-12; Common Core State

II APPENDIX II FINAL PRESENTATION SCORING RUBRIC TEACHER for grades 9-12; Common Core State Standards ELA The scoring rubric is a clear and concrete way of assessing Common Core State Standards (CCSS) commonly used in project based learning

551 views • 4 slides
Welcome to Scoring the ACIRI a Job Aid. 1 This job aid provides a brief review of the scoring

Welcome to Scoring the ACIRI a Job Aid. 1 This job aid provides a brief review of the scoring

Welcome to Scoring the ACIRI a Job Aid. 1 This job aid provides a brief review of the scoring procedure for the Adult-Child Interactive Reading Inventory. For detailed training on administering and scoring the assessment, please speak with

758 views • 40 slides
y 2 10 x y 3 x 10 3. Combine the two models. Remove neutral pairs, and

y 2 10 x y 3 x 10 3. Combine the two models. Remove neutral pairs, and

D AY 82 E LIMINATION U SING THE ADDITION PROPERTY OF EQUALITY 1. Let x represent the number of correct answers. Let y represent the incorrect answers. Write a system of equations. Janets scoring Matthews scoring system system 2

347 views • 33 slides
Exercise 8: Scoring Exercise 8: Scoring FLUKA Beginners Course Exercise 8: Scoring Aim of the

Exercise 8: Scoring Exercise 8: Scoring FLUKA Beginners Course Exercise 8: Scoring Aim of the

Exercise 8: Scoring Exercise 8: Scoring FLUKA Beginners Course Exercise 8: Scoring Aim of the exercise: 1- Add scoring cards 2- Practice with AUXSCORE card 3- Plot simulation results 4- Convert results to ASCII 2 Exercise 8: Scoring

501 views • 4 slides
Part 6: Scoring in a Complete Search System Francesco Ricci Most of these slides comes from the

Part 6: Scoring in a Complete Search System Francesco Ricci Most of these slides comes from the

Part 6: Scoring in a Complete Search System Francesco Ricci Most of these slides comes from the course: Information Retrieval and Web Search, Christopher Manning and Prabhakar Raghavan 1 Content p Vector space scoring p Speeding up

850 views • 37 slides
Self-service Training slides Part 1 of 2 Overview Structure of tool/scoring system

Self-service Training slides Part 1 of 2 Overview Structure of tool/scoring system

Self-service Training slides Part 1 of 2 Overview Structure of tool/scoring system Scoring guidelines Completion of NPTDA Computer outputs Publications 2 adult versions physical & cognitive Designed for use

433 views • 21 slides
Other Revisions: Using Technical Rule 114 to Revise Rope IPZ Vulnerability Score Melissa

Other Revisions: Using Technical Rule 114 to Revise Rope IPZ Vulnerability Score Melissa

Other Revisions: Using Technical Rule 114 to Revise Rope IPZ Vulnerability Score Melissa Carruthers: Severn Sound Environmental Association September 6, 2018 1 Utilize Technical Rule 95.1 to revise vulnerability scoring in the Rope IPZ.

505 views • 6 slides
Exercise 8: Scoring FLUKA Beginners Course Exercise 8: Scoring Aim of the exercise: 1- Add

Exercise 8: Scoring FLUKA Beginners Course Exercise 8: Scoring Aim of the exercise: 1- Add

Exercise 8: Scoring FLUKA Beginners Course Exercise 8: Scoring Aim of the exercise: 1- Add scoring cards 2- Practice with AUXSCORE card 3- Plot simulation results 4- Convert results to ASCII 2 Exercise 8: Scoring Start from the

724 views • 4 slides
Self-service Training slides Part 1 of 3 1. Overview 2. Structure of tool/scoring system 3.

Self-service Training slides Part 1 of 3 1. Overview 2. Structure of tool/scoring system 3.

Self-service Training slides Part 1 of 3 1. Overview 2. Structure of tool/scoring system 3. Scoring guidelines 4. Completion of NPDS-H Basic Care Needs 1. NPDS designed to provide a seamless service from hospital to community setting 2.

526 views • 39 slides
Fast Parallel Longest Common Subsequence with General Integer Scoring Support Adnan Ozsoy , Arun

Fast Parallel Longest Common Subsequence with General Integer Scoring Support Adnan Ozsoy , Arun

Fast Parallel Longest Common Subsequence with General Integer Scoring Support Adnan Ozsoy , Arun Chauhan, Martin Swany School of Informatics and Computing Indiana University, Bloomington, USA 1 Fast Parallel Longest Common Subsequence with

495 views • 37 slides
Mountain High Swim League Scoring Presentation 2018 Scoring Committee 1 MHSL Scoring Training

Mountain High Swim League Scoring Presentation 2018 Scoring Committee 1 MHSL Scoring Training

Mountain High Swim League Scoring Presentation 2018 Scoring Committee 1 MHSL Scoring Training 2018 Contact Info Strong Recommendation: use permanent e-mail addresses Meet your Division's Scoring Committee Representative

366 views • 22 slides
Automated Essay Scoring as Basic Regression Ashesh Singh Background What is Automated Essay

Automated Essay Scoring as Basic Regression Ashesh Singh Background What is Automated Essay

Automated Essay Scoring as Basic Regression Ashesh Singh Background What is Automated Essay Scoring (AES)? Why AES? Goal Demonstrate effect of common essay features Apply techniques from this course Hypothesis: A large number of essay

707 views • 29 slides
Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a

Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a

Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a significant shock that brings welfare below a socially accepted level (Khl, 2003) Vulnerability increases when there is uncertainty with respect to

529 views • 21 slides
Evalua&ng Opera&ng System Vulnerability to Memory Errors

Evalua&ng Opera&ng System Vulnerability to Memory Errors

Evalua&ng Opera&ng System Vulnerability to Memory Errors Kurt B. Ferreira, Kevin Pedre1, Patrick Bridges , Ron Brightwell, David Fiala, and Frank

689 views • 23 slides
Contents What is vulnerability? Why conduct vulnerability assessments? Defining

Contents What is vulnerability? Why conduct vulnerability assessments? Defining

6/19/2015 Vulnerability and Capacity Assessment Index (VCAI) for Climate Change Adaptation SVRK Prabhakar USAID ADAPT Asia-Pacific Presented at NABARD Training Workshop, Mumbai on 18 June 2015 Contents What is vulnerability? Why

705 views • 21 slides
Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1

Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1

Vulnerability Analysis and Food Aid W orking Group Chaired by W FP/ VAM Unit Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1 Overview 1 . Methodology of the VA 2 0 0 4 2 . Highlights of

703 views • 28 slides
Vulnerability Screening Tool Identifying and addressing vulnerability: A tool for asylum and

Vulnerability Screening Tool Identifying and addressing vulnerability: A tool for asylum and

Vulnerability Screening Tool Identifying and addressing vulnerability: A tool for asylum and migration systems Purpose Intended to guide & inform frontline workers & decision makers on the relevance of vulnerability factors to

507 views • 19 slides
Earthquake Vulnerability Earthquake Vulnerability Vulnerability Assessment & EVR measures

Earthquake Vulnerability Earthquake Vulnerability Vulnerability Assessment & EVR measures

Earthquake Vulnerability Earthquake Vulnerability Vulnerability Assessment & EVR measures Islamabad Pakistan Assessment and Vulnerability Assessment and Vulnerability Reduction Measures Reduction Measures adpc Asian Disaster

702 views • 46 slides
A Statistical Evaluation of the Decathlon Scoring Systems 2011-2012 DE RIJDT Annelin One of the

A Statistical Evaluation of the Decathlon Scoring Systems 2011-2012 DE RIJDT Annelin One of the

A Statistical Evaluation of the Decathlon Scoring Systems 2011-2012 DE RIJDT Annelin One of the most challenging disciplines in sports??? End of the decathlon at the Olympic Games in Beijing (2008) Challenges to develop a scoring system?

435 views • 30 slides
SI Scoring Guide SUBORDINATION INDEX USING SALT Discuss the scoring rules SALT SOFTWARE, LLC

SI Scoring Guide SUBORDINATION INDEX USING SALT Discuss the scoring rules SALT SOFTWARE, LLC

SALT Software, LLC SI Scoring Guide SUBORDINATION INDEX USING SALT Discuss the scoring rules SALT SOFTWARE, LLC Look at some tricky scoring examples Review a few key points PRESENTER: Mary Beth Rolland, MS, CCC SLP ASHA

301 views • 4 slides
Employee Theft & What are the greatest areas of vulnerability? How and WHY do honest

Employee Theft & What are the greatest areas of vulnerability? How and WHY do honest

Vital Questions Preventing How common is theft in medical practices? Employee Theft & What are the greatest areas of vulnerability? How and WHY do honest people steal? How do you assess potential employees? Embezzlement

132 views • 10 slides
Hauke Walter Medizinisches Labor Stendal News ticker Changes in the scoring system Update

Hauke Walter Medizinisches Labor Stendal News ticker Changes in the scoring system Update

Hauke Walter Medizinisches Labor Stendal News ticker Changes in the scoring system Update the algorithms New drugs Other targets: HCV resistance tool is mediated via geno2pheno (like HIV coreceptor) HBV (HBs escape mutation

323 views • 9 slides
Investment Board April 21, 2014 Agenda UW-IT Portfolio Scoring Process Scoring Results

Investment Board April 21, 2014 Agenda UW-IT Portfolio Scoring Process Scoring Results

IT Service Investment Board April 21, 2014 Agenda UW-IT Portfolio Scoring Process Scoring Results TRF Update Wrap Up 2 UW-IT Portfolio Scoring Process 3 Purpose Many projects --51 287,000 hours all important

631 views • 43 slides

More recommend