Dailydave mailing list archives
Re: smaller errors eroding situational awareness.
From: Christian Heinrich <christian.heinrich () cmlh id au>
Date: Wed, 21 Aug 2013 10:12:34 +1000
Anton, The core issue here is related to compliance, not security. For instance, PCI DSS v2.0 Requirement 6.2 mandated that a "High" Risk vulnerability .. *may* include a CVSS base score of 4.0 or above, ..." [emphasis added]. Therefore, the likelihood of an unschedule outage from implementing a patch and/or workaround for a low or medium severity is outweighed by their risk appetite (i.e. lack of maturity within the culture of the end user to support the processes related to the implementation of workarounds and/or patching of vulnerabilities of low and medium severity). Hence, the end user's definition of a "high" risk vulnerability can be reclassified as a much higher CVSSv2 Base Score than 4.0 because PCI DSS permits this. On Sat, Aug 17, 2013 at 6:32 AM, Anton Chuvakin <anton () chuvakin org> wrote:
of prioritization for vulnerabilities. I've seen to many organizaitons debate a CVSS score with our support team so they can get it moved off of their mandate to patch everything with a CVSS score of X or higher.This, BTW, is NOT a joke :-) In essence, many of these organization will likely NOT learn any lessons from the directory traverse ownage, apart from "NVD can be wrong." If they can fix/patch 500 vulns/month, but their VA tool shows them 1000 Hs, 5000 Ms and infinity of Ls a week, their patching strategy won't suddenly change to "fix all Hs, Ms and Ls." Exploitability may help them a bit, but I doubt it will "solve the problem." After all, the Low severity vuln of "system responds to pings" is ...ahemmm.. exploitable as you can actually send the damn ping :-)
-- Regards, Christian Heinrich http://cmlh.id.au/contact _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- smaller errors eroding situational awareness. Dave Aitel (Aug 16)
- Re: smaller errors eroding situational awareness. Kristian Erik Hermansen (Aug 16)
- Re: smaller errors eroding situational awareness. Ron Gula (Aug 16)
- Re: smaller errors eroding situational awareness. Anton Chuvakin (Aug 19)
- Re: smaller errors eroding situational awareness. Christian Heinrich (Aug 21)
- Re: smaller errors eroding situational awareness. Christian Heinrich (Aug 21)
- Re: smaller errors eroding situational awareness. Anton Chuvakin (Aug 19)
- Re: smaller errors eroding situational awareness. Christey, Steven M. (Aug 19)
- Re: smaller errors eroding situational awareness. security curmudgeon (Aug 19)
- Re: smaller errors eroding situational awareness. Christian Heinrich (Aug 21)
- Re: smaller errors eroding situational awareness. security curmudgeon (Aug 19)
- Re: smaller errors eroding situational awareness. Christian Heinrich (Aug 21)
- Re: smaller errors eroding situational awareness. Justin Ferguson (Aug 21)