Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/21/2013
02:07 AM
Dark Reading
Dark Reading
Quick Hits
50%
50%

Understanding Severity And Criticality In Threat Reporting

How do you prioritize newly disclosed threats and vulnerabilities? Here are some tips

[The following is excerpted from "Understanding Severity and Criticality In Threat Reporting," a new report posted this week on Dark Reading's Vulnerabilities and Threats Tech Center.]

"Does this vulnerability pose risk to my organization?" Arriving at the answer to this question isn't easy. Indeed, the answer, at least partially, is a measure of your own internal visibility into the technology in use inside and, in some cases, outside your network.

It all comes back to how well you know the technology you rely on every day. Put simply, you can't mitigate a threat if you don't know it's a threat.

Indeed, before any (or much) attention can be paid to threat reporting and vulnerability disclosure, security professionals must spend a great deal of effort to gain thorough visibility into their networks, systems and data. A number of automated tools can reach into the depths of your network to help with this process, but, as with anything in the IT world, success depends on an effective combination of people, processes, and technology.

OK, now that we have complete visibility into our technology and data, we can get started evaluating the latest Microsoft vulnerability, right? Not even close.

What is your scale of risk? How about your mitigation plan? How does your actual risk relate to applied ratings from vendors? Is there a difference?

In the past, organizations have used a number of risk metric formulas, methodologies, and other "plug and play" methods for creating a vulnerability management system. The problem is that technology and business evolve, and in the last decade they have evolved at a dizzying pace. Vulnerability rating and management systems should be evolving at the same pace and along the same paths (think cloud computing, mobile, and so on), but they often don't.

One of the biggest challenges companies face is reconciling their metrics with those of a particular threat intelligence group, standard, or vendor.

Let's take a look at the Common Vulnerability Scoring System, which is used by Mitre's Common Vulnerabilities and Exposures, or CVE, a dictionary of publicly known information security vulnerabilities and exposures. One of the first things you'll notice about the CVSS is that it isn't just a simple matrix of connecting dots. Rather, it comprises multiple scoring categories that are compiled to produce an overall score. These categories take into account variables regarding vulnerability, threat, and risk.

The base metric group includes data such as impact to the CIA triad (confidentiality, integrity and availability) and the vectors in which the vulnerability applies. These variables tend not to change.

The temporal metric group focuses on variables that will change over time.

The environmental metric group is geared toward components that will be unique to each company or organization. This is where your time will likely be focused when applying a risk rating system for your own network.

To see how the CVE rating system differs from those of Microsoft and others -- and to find out how you can use these rating systems to help you prioritize your response to newly disclosed vulnerabilities -- download the free report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...
CVE-2019-4409
PUBLISHED: 2019-10-18
HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message that includes the entere...