common vulnerability scoring system
play

Common Vulnerability Scoring System Engineering Secure Software - PowerPoint PPT Presentation

Dec 02, 2022 •189 likes •541 views

Common Vulnerability Scoring System Engineering Secure Software Last Revised: November 13, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 How Bad is Bad? Weve seen many vulnerabilities Many of them can do catastrophic

  1. Common Vulnerability Scoring System Engineering Secure Software Last Revised: November 13, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1

  2. How Bad is Bad? We’ve seen many vulnerabilities ● Many of them can do catastrophic things ○ Danger really depends on the situation ○ Many, many situational factors, such as: ● Asset exposed (and its relative importance) ○ Remotely or locally exploitable? ○ Expertise needed to exploit the vulnerability? ○ Affects all deployments? ○ Impact on CIA properties? ○ How good is the reporting as of now? ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 2

  3. CVSS Common Vulnerability Scoring System ● Adopted by NIST (National Institute of Standards & Technology) ○ Required for reporting a vulnerability in CVE ○ Note: we are studying v3, most of the world still uses v2 ○ An open scoring system from FIRST ● FIRST: Forum for Incident Response & Security Teams ○ Group of researchers and practitioners ○ Three metric groups ● Base: no changes over time or environment ○ Environmental: might vary in different deployments ○ Temporal: might change over time ○ Essentially a weighted average ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 3

  4. CVSS: Base Metric Group Exploitability metrics: ● Base Metric Group characteristics of the thing Exploitability Impact Metrics Metrics that is vulnerable AV: Attack Confidentiality Vector Impact Impact metrics: represent ● the consequence to the AC: Attack Integrity Complexity Impact thing that suffers the impact PR: Privileges Availability Required Impact Exploit(AV, AC, PR, UI), ● UI: User Interaction Impact(C, I, A), S Scope SWEN-331: Engineering Secure Software Benjamin S Meyers 4

  5. Base: Attack Vector (AV) Regarding networking, what are the methods of exploiting? ● Metric values: ● (P) Physical ○ (L) Local Only ○ (A) Adjacent Network (e.g. wifi, local IP subnet) ○ (N) Network (fully remotely exploitable) ○ Assumption: ● The more remote the AV, the more likely it is to be exploited ○ Examples: ● Client that opens stuff from an untrusted internet source? Go ○ with (N) Network (e.g. zip utility with a buffer overflow) SWEN-331: Engineering Secure Software Benjamin S Meyers 5

  6. Base: Attack Vector (AV) Examples: ● Client that opens stuff from an untrusted internet source? Go ○ with (N) Network (e.g. zip utility with a buffer overflow) XSS in a web application? ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 6

  7. Base: Attack Vector (AV) Examples: ● Client that opens stuff from an untrusted internet source? Go ○ with (N) Network (e.g. zip utility with a buffer overflow) XSS in a web application? (N) Network ○ ARP Spoofing? ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 7

  8. Base: Attack Vector (AV) Examples: ● Client that opens stuff from an untrusted internet source? Go ○ with (N) Network (e.g. zip utility with a buffer overflow) XSS in a web application? (N) Network ○ ARP Spoofing? (A) Adjacent Network ○ Side-channel attacks? ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 8

  9. Base: Attack Vector (AV) Examples: ● Client that opens stuff from an untrusted internet source? Go ○ with (N) Network (e.g. zip utility with a buffer overflow) XSS in a web application? (N) Network ○ ARP Spoofing? (A) Adjacent Network ○ Side-channel attacks? (L) Local ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 9

  10. Base: Attack Complexity (AC) How complex would the exploit be? ● One step? (e.g. buffer overflow) ○ Multiple steps? (e.g. convince an email user to download a ○ malicious attachment) Metric values: ● (H) High: specialized access conditions ○ e.g. overcoming advanced exploit mitigation techniques ■ e.g. man-in-the-middle attack ■ (L) Low: no specialized conditions ○ e.g. default configuration ■ e.g. requires little skill to perform ■ (L) → higher metric score, (H) → lower metric score ● SWEN-331: Engineering Secure Software Benjamin S Meyers 10 10

  11. Base: Privileges Required (PR) Level of privileges needed for exploit? ● Metric values: ● (H): privileges that provide significant control (e.g. admin) ○ (L): privileges that provide basic user capabilities ○ (N): no authorization needed ○ The fewer privileges necessary, the higher the metric score ● Examples: ● In an authentication system (e.g. Kerberos) itself? (N) None ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 11 11

  12. Base: Privileges Required (PR) Examples: ● In an authentication system (e.g. Kerberos) itself? (N) None ○ Path traversal in photo upload for Twitter client? ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 12 12

  13. Base: Privileges Required (PR) Examples: ● In an authentication system (e.g. Kerberos) itself? (N) None ○ Path traversal in photo upload for Twitter client? (L) Low ○ Insecure PRNG for session ID’s? ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 13 13

  14. Base: Privileges Required (PR) Examples: ● In an authentication system (e.g. Kerberos) itself? (N) None ○ Path traversal in photo upload for Twitter client? (L) Low ○ Insecure PRNG for session ID’s? (N) None ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 14 14

  15. Base: User Interaction (UI) A user, other than the attacker, participates in the exploit ● Metric values: ● (N): can be exploited without interaction from any user ○ (R): requires a user to take action(s) ○ e.g. exploit may only be possible during the installation of an ■ application by a system administrator Examples: ● Reflected XSS? (R) -- user must click on a link ○ CSRF? (R) -- need a victim to forge the HTTP request and be ○ logged in The less user interaction required, the higher the metric score ● SWEN-331: Engineering Secure Software Benjamin S Meyers 15 15

  16. Base: Scope (S) The ability for a vulnerability in one software component to ● impact resources beyond its means or privileges Metric values: ● (U)Unchanged: the vulnerable component and the impacted ○ component are the same (C) Changed: the vulnerable component and the impacted ○ component are different Examples: ● Vulnerability in Linux VM that compromises host OS? (C) ○ Sandbox violations? (C) ○ Scoped changed → higher metric score ● SWEN-331: Engineering Secure Software Benjamin S Meyers 16 16

  17. Base: CIA Impact Any impact on C onfidentiality, I ntegrity, or A vailability? ● These are separate metrics ○ Metric values (for each C, I, and A): ● (N) None ○ (L) Low ○ (H) High ○ CIA of the system , not the user ● Examples: ● Disclosing a few database tables? C=Low, I=None, A=None ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 17 17

  18. Base: CIA Impact Examples: ● Disclosing a few database tables? C=Low, I=None, A=None ○ Temporary DoS? ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 18 18

  19. Base: CIA Impact Examples: ● Disclosing a few database tables? C=Low, I=None, A=None ○ Temporary DoS? C=None, I=None, A=Low ○ Reading arbitrary memory locations? ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 19 19

  20. Base: CIA Impact Examples: ● Disclosing a few database tables? C=Low, I=None, A=None ○ Temporary DoS? C=None, I=None, A=Low ○ Reading arbitrary memory locations? C=High, I=None, A=None ○ Full bypass of plugin sandbox? ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 20 20

  21. Base: CIA Impact Examples: ● Disclosing a few database tables? C=Low, I=None, A=None ○ Temporary DoS? C=None, I=None, A=Low ○ Reading arbitrary memory locations? C=High, I=None, A=None ○ Full bypass of plugin sandbox? C=?, I=High, A=None ○ Root-level access? C=I=A=High ○ Hardcoded root credentials in blog software? C=I=A=High ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 21 21

  22. CVSS: Environmental Metric Group Modified base metrics ● Loss of life, physical assets, productivity ○ Levels: None, Low, Medium, High, Not Defined ○ Security Requirements (CR, IR, AR) ● Levels: ○ (X) Not Defined: it will not influence the score ■ (H) High: a catastrophic adverse effect ■ (M) Medium: a serious adverse effect ■ (L) Low: a limited adverse effect ■ SWEN-331: Engineering Secure Software Benjamin S Meyers 22 22

  23. CVSS: Temporal Exploitability (E) Is there a public exploit known? ● Metric values: ● (U) Unproven: entirely theoretical exploit ○ (POC): Proof of Concept exists, no known malicious exploits ○ (F): Functional exploit is available ○ (H): Functional exploit is widely disseminated ○ (X) Not Defined (skip this part of the metric) ○ Notes: ● Being temporal, this could change quickly ○ Many white hats will write exploits to make this score go up, so ○ that it gets fixed SWEN-331: Engineering Secure Software Benjamin S Meyers 23 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a cybersecurity flaw in a system that leave it open to attack. A vulnerability may also refer to any type of weakness in a computer system

407 views • 16 slides
II APPENDIX II FINAL PRESENTATION SCORING RUBRIC TEACHER for grades 9-12; Common Core State

II APPENDIX II FINAL PRESENTATION SCORING RUBRIC TEACHER for grades 9-12; Common Core State

II APPENDIX II FINAL PRESENTATION SCORING RUBRIC TEACHER for grades 9-12; Common Core State Standards ELA The scoring rubric is a clear and concrete way of assessing Common Core State Standards (CCSS) commonly used in project based learning

551 views • 4 slides
Welcome to Scoring the ACIRI a Job Aid. 1 This job aid provides a brief review of the scoring

Welcome to Scoring the ACIRI a Job Aid. 1 This job aid provides a brief review of the scoring

Welcome to Scoring the ACIRI a Job Aid. 1 This job aid provides a brief review of the scoring procedure for the Adult-Child Interactive Reading Inventory. For detailed training on administering and scoring the assessment, please speak with

758 views • 40 slides
y 2 10 x y 3 x 10 3. Combine the two models. Remove neutral pairs, and

y 2 10 x y 3 x 10 3. Combine the two models. Remove neutral pairs, and

D AY 82 E LIMINATION U SING THE ADDITION PROPERTY OF EQUALITY 1. Let x represent the number of correct answers. Let y represent the incorrect answers. Write a system of equations. Janets scoring Matthews scoring system system 2

347 views • 33 slides
Exercise 8: Scoring Exercise 8: Scoring FLUKA Beginners Course Exercise 8: Scoring Aim of the

Exercise 8: Scoring Exercise 8: Scoring FLUKA Beginners Course Exercise 8: Scoring Aim of the

Exercise 8: Scoring Exercise 8: Scoring FLUKA Beginners Course Exercise 8: Scoring Aim of the exercise: 1- Add scoring cards 2- Practice with AUXSCORE card 3- Plot simulation results 4- Convert results to ASCII 2 Exercise 8: Scoring

501 views • 4 slides
Part 6: Scoring in a Complete Search System Francesco Ricci Most of these slides comes from the

Part 6: Scoring in a Complete Search System Francesco Ricci Most of these slides comes from the

Part 6: Scoring in a Complete Search System Francesco Ricci Most of these slides comes from the course: Information Retrieval and Web Search, Christopher Manning and Prabhakar Raghavan 1 Content p Vector space scoring p Speeding up

850 views • 37 slides
Self-service Training slides Part 1 of 2 Overview Structure of tool/scoring system

Self-service Training slides Part 1 of 2 Overview Structure of tool/scoring system

Self-service Training slides Part 1 of 2 Overview Structure of tool/scoring system Scoring guidelines Completion of NPTDA Computer outputs Publications 2 adult versions physical & cognitive Designed for use

433 views • 21 slides
Other Revisions: Using Technical Rule 114 to Revise Rope IPZ Vulnerability Score Melissa

Other Revisions: Using Technical Rule 114 to Revise Rope IPZ Vulnerability Score Melissa

Other Revisions: Using Technical Rule 114 to Revise Rope IPZ Vulnerability Score Melissa Carruthers: Severn Sound Environmental Association September 6, 2018 1 Utilize Technical Rule 95.1 to revise vulnerability scoring in the Rope IPZ.

505 views • 6 slides
Exercise 8: Scoring FLUKA Beginners Course Exercise 8: Scoring Aim of the exercise: 1- Add

Exercise 8: Scoring FLUKA Beginners Course Exercise 8: Scoring Aim of the exercise: 1- Add

Exercise 8: Scoring FLUKA Beginners Course Exercise 8: Scoring Aim of the exercise: 1- Add scoring cards 2- Practice with AUXSCORE card 3- Plot simulation results 4- Convert results to ASCII 2 Exercise 8: Scoring Start from the

724 views • 4 slides
Self-service Training slides Part 1 of 3 1. Overview 2. Structure of tool/scoring system 3.

Self-service Training slides Part 1 of 3 1. Overview 2. Structure of tool/scoring system 3.

Self-service Training slides Part 1 of 3 1. Overview 2. Structure of tool/scoring system 3. Scoring guidelines 4. Completion of NPDS-H Basic Care Needs 1. NPDS designed to provide a seamless service from hospital to community setting 2.

526 views • 39 slides
Fast Parallel Longest Common Subsequence with General Integer Scoring Support Adnan Ozsoy , Arun

Fast Parallel Longest Common Subsequence with General Integer Scoring Support Adnan Ozsoy , Arun

Fast Parallel Longest Common Subsequence with General Integer Scoring Support Adnan Ozsoy , Arun Chauhan, Martin Swany School of Informatics and Computing Indiana University, Bloomington, USA 1 Fast Parallel Longest Common Subsequence with

495 views • 37 slides
Mountain High Swim League Scoring Presentation 2018 Scoring Committee 1 MHSL Scoring Training

Mountain High Swim League Scoring Presentation 2018 Scoring Committee 1 MHSL Scoring Training

Mountain High Swim League Scoring Presentation 2018 Scoring Committee 1 MHSL Scoring Training 2018 Contact Info Strong Recommendation: use permanent e-mail addresses Meet your Division's Scoring Committee Representative

366 views • 22 slides
Automated Essay Scoring as Basic Regression Ashesh Singh Background What is Automated Essay

Automated Essay Scoring as Basic Regression Ashesh Singh Background What is Automated Essay

Automated Essay Scoring as Basic Regression Ashesh Singh Background What is Automated Essay Scoring (AES)? Why AES? Goal Demonstrate effect of common essay features Apply techniques from this course Hypothesis: A large number of essay

707 views • 29 slides
Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a

Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a

Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a significant shock that brings welfare below a socially accepted level (Khl, 2003) Vulnerability increases when there is uncertainty with respect to

529 views • 21 slides
Evalua&ng Opera&ng System Vulnerability to Memory Errors

Evalua&ng Opera&ng System Vulnerability to Memory Errors

Evalua&ng Opera&ng System Vulnerability to Memory Errors Kurt B. Ferreira, Kevin Pedre1, Patrick Bridges , Ron Brightwell, David Fiala, and Frank

689 views • 23 slides
Contents What is vulnerability? Why conduct vulnerability assessments? Defining

Contents What is vulnerability? Why conduct vulnerability assessments? Defining

6/19/2015 Vulnerability and Capacity Assessment Index (VCAI) for Climate Change Adaptation SVRK Prabhakar USAID ADAPT Asia-Pacific Presented at NABARD Training Workshop, Mumbai on 18 June 2015 Contents What is vulnerability? Why

705 views • 21 slides
Search Snippet Evaluation Mikhail Lebedev, Pavel Braslavski, Denis Savenkov CLEF 2011 CLEF 2011

Search Snippet Evaluation Mikhail Lebedev, Pavel Braslavski, Denis Savenkov CLEF 2011 CLEF 2011

Search Snippet Evaluation Mikhail Lebedev, Pavel Braslavski, Denis Savenkov CLEF 2011 CLEF 2011 What is a snippet What is a snippet # Why is it so important Why is it so important Search is ranking & representation Bad snippets spoil good

359 views • 19 slides
Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security Information Systems Course Business Course site: https://67327.cmuis.net Schedule Reading Assignments in-class labs -- laptops w/ 272

1.31k views • 11 slides
User authentication on the web Joseph Bonneau

User authentication on the web Joseph Bonneau

User authentication on the web Joseph Bonneau Computer Laboratory Part II Security lecture 2012 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 1 / 41

1.72k views • 132 slides
Browser Security Part 2 Recap XSS 3 different types Common aim/theme Steal user

Browser Security Part 2 Recap XSS 3 different types Common aim/theme Steal user

Browser Security Part 2 Recap XSS 3 different types Common aim/theme Steal user credentials (session ID, cookies, etc.) CSRF Cross-Site Request Forgery is an attack that forces an end user to execute unwanted actions on a

428 views • 23 slides
Build Better Products with HYPOTHESIS TRACKER KALPESH SHAH KSHAH@INTRAEDGE.COM Kalpesh Shah

Build Better Products with HYPOTHESIS TRACKER KALPESH SHAH KSHAH@INTRAEDGE.COM Kalpesh Shah

Build Better Products with HYPOTHESIS TRACKER KALPESH SHAH KSHAH@INTRAEDGE.COM Kalpesh Shah Digital Product Coach, Speaker and Trainer Director of Agile/Digital Transformation at IntraEdge. Working with clients ranging from Fortune 50

275 views • 24 slides
Recent Progresses in Visual Segmentation Yunchao Wei ReLER, Australian Artificial Intelligence

Recent Progresses in Visual Segmentation Yunchao Wei ReLER, Australian Artificial Intelligence

VALSE Web Webinar nar Recent Progresses in Visual Segmentation Yunchao Wei ReLER, Australian Artificial Intelligence Institute University of Technology Sydney The importance of visual segmentation Medical Agriculture Autonomous Vehicle

867 views • 69 slides
1 Relying primarily on telling as our way to information Technology integration across to

1 Relying primarily on telling as our way to information Technology integration across to

Keyn ynote te: What t We Co Could Do Do If If We Were Br Brave Togeth ther r - Selected Slides s - DI Asia Su Summi mmit t 2018 rick@rickwormeli.onmicrosoft.com www.rickwormeli.com @rickwormeli2 (Twitter) What tethers us to

364 views • 15 slides
NFSv4 Requirements Spencer Shepler spencer.shepler@eng.sun.com Spencer Shepler 42nd IETF NFSv4

NFSv4 Requirements Spencer Shepler spencer.shepler@eng.sun.com Spencer Shepler 42nd IETF NFSv4

42nd IETF NFSv4 Requirements Slide 1 of 11 42nd IETF NFSv4 Requirements Spencer Shepler spencer.shepler@eng.sun.com Spencer Shepler 42nd IETF NFSv4 Requirements Slide 2 of 11 WG Charter and Requirements First Milestone - deliver

327 views • 11 slides

More recommend