Assessing Risks to Systems

It is also useful to assess the risk to a system of a particular vulnerability. Where we discover several issues with a system, this can allow us to concentrate our efforts on the one with the most serious impact

For example, assume the factors we include in the risk assessment are:

Severity: The security implications to the system of this risk
Likelihood: How likely it is this risk will occur.

After our assessment we have the following vulnerabilities

Vulnerability	Severity	Likelihood
Vuln 1	Low	Very High
Vuln 2	Very High	Low
Vuln 3	High	High

While Vulnerability 2 has the highest severity, it also has a very low chance of occurring (for example, it requires some custom exploit development, or deep understanding of the underlying system). Therefore we may want to concentrate our efforts, on Vulnerability 3 first, as it has a both high chance of occurring, and a high severity.

Important

While you are not required to make use of risk rating systems in the coursework, (because we dont have a pen-test report element) it might be a good idea to get used to explaining the vulns you find using these systems.

Risk Assessment Standards

Ideally there would be one single vulnerability risk rating standard. However, as the level of risk depends on the organisation and applications, there are several formats you could use.

standards

Obligatory XKCD

Lets look at three of these standards in more detail

OWASP Risk Assessment Methodology ¹

Assesses the Risk based on two elements:

The Overall Likelihood
The Overall Impact

Likelihood

Likelihood is estimated based on the following factors. Estimated on a level of 0-9

Threat Agent Factors

Are related to the attacker themselves, and a combination of:
- Skill Level
- Motive
- Opportunity
- Size (How big are the group of people who could exploit this)
Vulnerability Factors

Determine how likely it is that this particular vulnerability will be discovered and exploited.
- Ease Of Discovery
- Easy Of Exploit
- Awareness (How well known is the vulnerability)
- Intrusion Detection (How likely is an exploit to be detected)

Impact

As with Likelihood, Impact is measured on based on two categories.

Technical Impact

Covers areas identified by the CIA triangle
- Loss of Confidentiality
- Loss of Integrity
- Loss of Availability
- Loss of Accountability
Business Impact

This is much harder to quantify, as it requires an understating of what is important to the organisation running the application. However, there are some common areas
- Financial damage
- Reputation Damage
- Non-Compliance
- Privacy Violation (how many customers would be affected)

Calculating the Score.

We can then add up the scores for each category to get an overall idea of the risk rating

\[\begin{align} \text{Likelihood} & = \text{Average}(\text{Threat Agent Factors} + \text{Vulnerability Factors}) \\ \text{Impact} & = \text{Average}(\text{Technical Impact}+ \text{Business Impact}) \end{align}\]

Then calculate the Overall severity of the vulnerability. Where

0 to 3 == Low
3 to 6 == Medium
6 to 9 == High

OWASP Table

SANS Institute ²

The sans institute takes a similar approach to OWASP when categorising vulnerabilities. However, it has a higher level overview, focusing on two factors.

Severity

Represents the impact of the vulnerability

Minor Severity

The vulnerability requires significant resources to exploit (IE is hard to do). There is little potential for loss
Moderate Severity

The Vulnerability requires significant resources for exploit, with significant potential for loss.

OR

The Vulnerability requires little resources to exploit, with moderate potential for loss.
High Severity

The Vulnerability requires few resources to exploit, with significant potential for loss

Exposure

Represents the number of components in the system (or amount of data) that the vulnerability exposes.

Minor Exposure

The vulnerability effects only specific systems. It will not increase the chances of additional vulnerabilities being exploited
Moderate Exposure

Can effect more than one system element or component. May also lead to additional vulnerabilities being exploited.
High Exposure

Effects the majority of system components. High chance of additional vulnerabilities being exploited.

Calculating the Score

Scores are calculated based on a combination of factors Sans Rating Table

CVE / CVSS Ratings³

CVE's (Common Vulnerabilities and Exposures) are used to classify vulnerabilities. This aims to standardise the way that vulnerabilities are reported, and assessed.

A database of CVE's is maintained by the US Government and the MITRE corporation, with newly reported vulnerabilities assigned ad CVE number and Score.

You can search the CVE database at cve.mitre.org. For example:

CVE-2017-0144 Eternal Blue, used in the Wanna Cry Malware (and others)
CVE-2018-1133 "Evil Teacher" bug, allowing RCE in Moodle.

CVSS

CVE are rated based on the CVSS (Common Vulnerability Scoring System), which takes into account many factors, including:

Complexity of Exploit
Does the attacker need to be authorised
Impact on each element of the CIA Triangle
Does known exploit code exist
Is there a known fix for the exploit.

Note

The CVE score calculations are quite complex, and require specialist input. Knowing that they exist, and the levels they represent is fine for the moment.

Vulnerabilities are given a score between 0-10, representing how critical the flaw is.

Summary

In this article we have looked at some of the common ways of classifying vulnerabilities.

These systems allow us to discuss the issues in a standardised way, and prioritise flaws to be fixed.

Comparing Rating Systems #compareRatings

The OWASP and SANS vulnerability rating systems, allow us to rate security flaws in our own systems. While they aim to do the same thing, they both take a different approach.

Which of the two rating systems do you prefer?
- Is there any information missing that could help in assessment