Dailydave mailing list archives
Re: smaller errors eroding situational awareness.
From: Justin Ferguson <jf () ownco net>
Date: Wed, 21 Aug 2013 03:05:23 -0400
So my conclusion here is that despite all thoughts to the contrary, CVSS, the NVD, and hence vulnerability risk rankings, do, in fact matter.
they could matter, but everything being 'unverified' and all of the client side stuff being marked as 'remote' and so on more or less makes it an exercise in hysteria and speculation. Scroll through CVSS stuff, virtually everything is marked as unverified and lacking all sorts of details that would invalidates the score itself. It's not debatable whether this is because a general lack of information available to the people assigning the scores, thats absolutely true, but it undermines the purpose when you get a score based on impartial or incomplete datasets. On Fri, Aug 16, 2013 at 2:38 PM, Dave Aitel <dave () immunityinc com> wrote:
Related Twitter threads here: https://twitter.com/carnal0wnage/status/367734642213801985 https://twitter.com/SelsRoger/status/367751020442832897 One thing you should pay attention to, as someone who works in IT security is how the various assumptions change over time. It used to be that managing your network security was how well you used a few simple product types. Essentially we had network sniffers and network scanners of various sorts, along with the signature-based AVs. Most enterprises remember having tons of network sniffer monkeys looking at logs and sniffer alerts and then trying to use that to generate some level of activity. But that turns out to be mindbogglingly expensive, and ineffective as we have all learned the hard way. This then changed into how well you integrate and analyze information from these tools. The SIEM was born. The downside being that sorting through massive amounts of noise to find tiny signals is by definition expensive, no matter how good your tool is. This is also true on the assessment side - small errors can add up to cloud your situational awareness. For example, in the below referenced Twitter stream you can see a penetration tester scanning a network using a vulnerability assessment tool, which then marks a potential ColdFusion bug as "medium". Part of this is because the National Vulnerability Database marked it as having a CVSS score of 7.5, despite it being a remote, unauthenticated, SYSTEM-level vulnerability. That said, if all you had was the Vulnerability Assessment data, you would probably relegate fixing this weakness to "when I get around to it", which would explain all the nicely vulnerable ColdFusion boxes on the Interwebs. So my conclusion here is that despite all thoughts to the contrary, CVSS, the NVD, and hence vulnerability risk rankings, do, in fact matter. -dave As a post-script, Nessus has updated their score on this particular vulnerability. I emailed the NVD about it too. _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- smaller errors eroding situational awareness. Dave Aitel (Aug 16)
- Re: smaller errors eroding situational awareness. Kristian Erik Hermansen (Aug 16)
- Re: smaller errors eroding situational awareness. Ron Gula (Aug 16)
- Re: smaller errors eroding situational awareness. Anton Chuvakin (Aug 19)
- Re: smaller errors eroding situational awareness. Christian Heinrich (Aug 21)
- Re: smaller errors eroding situational awareness. Christian Heinrich (Aug 21)
- Re: smaller errors eroding situational awareness. Anton Chuvakin (Aug 19)
- Re: smaller errors eroding situational awareness. Christey, Steven M. (Aug 19)
- Re: smaller errors eroding situational awareness. security curmudgeon (Aug 19)
- Re: smaller errors eroding situational awareness. Christian Heinrich (Aug 21)
- Re: smaller errors eroding situational awareness. security curmudgeon (Aug 19)
- Re: smaller errors eroding situational awareness. Christian Heinrich (Aug 21)
- Re: smaller errors eroding situational awareness. Justin Ferguson (Aug 21)