Re: Intrusion Risk Assessment

[Herve Debar <herve.debar () francetelecom com>]

Robert_Huber () bankone com wrote:
> Anyone know of any IDS risk assessment matrixes out there?  I'm looking for something like the following:
>
> Rating                          Severity
> 1  No Damage                    a.      Not possible to exploit (or)
>                                 b.      No damage (or)
>                                 c.      Hoax
> 	 	 	 	 
> 2 Harassment			a.	Possible damage, unconfirmed (or)
>                                 b.      Temporarily shuts down services and/or temporarily prevents access to 
> information
>
> 3 Minor Damage                  a.      Short-term impact (or)
>                                 b.      Exploit allows access to view files (or)
>                                 c.      Minimal effort required to recover
>
> 4 Moderate Damage               a.      The exploit is easy to perform (or)
>                                 b.      Important systems can be effected with administrative compromise (or)
>                                 c.      Exploit allows full access to files (or)
>                                 d.      Long-term effects, significant effort may be required to recover
>
> 5 Heavy Damage          a.      The exploit is easy to perform (and)
>                                 b.      An exploit will cause severe damage to multiple computers (and/or)
>                                 c.      Requires reinstallation or recovery from backup

Have a look at the IDWG draft on the data model for IDS alerts 
(http://www.ietf.org/html.charters/idwg-charter.html), there is 
something similar for classifying alerts.

Hervé
--
Hervé Debar             <mailto:herve.debar () francetelecom com>
Tel: +33 (0)2 31 75 92 61            GSM: +33 (0)6 74 09 09 66
France Télécom R&D                   Fax: +33 (0)2 31 75 93 13
42 rue des Coutures  (--)  BP 6243  (--)  F-14066 Caen Cedex 4