|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Dailydave] Re: Dailydave Digest, Vol 22, Issue 2
From: Brian Erdelyi (brian_erdelyi
yahoo.com)
Date: Tue Mar 01 2005 - 18:59:08 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> : I didn't try to be too narrow with my
> interpretation of Access
> : Complexity, I think it's a great term. One of my
> personal beefs is that
> : some people neglect to differentiate between the
> level of access
> : required to exploit the vulnerability. If
> authentication is required,
> : is admin/root privileges required to exploit it?
> To exploit the vuln
>
> but wait.. it doesn't get that detailed. your PDF
> modeled after their
> criteria just said "is authentication required". it
> doesn't say "is root
> required" or "administrative privs". it doesn't ask
> if i need admin privs
> on a phpBB installation vs admin privs on a cisco
> router. it doesn't
> distinguish between 'authentication' of a free
> WWWboard account or
> anything else. this is the first step to the system
> not adequately
> describing the risk of a vulnerability.
What I'm saying is that a system that attempts to
capture too much detail will be awkward. CVSS does
account for "Access Complexity" where the response is
simply "high" or "low". I believe this provides for
some flexibility in application. I also believe that
the variables provide a fair basis for a common score.
> : As with any scoring system there is potential for
> : misuse and errors. I created the calculator do
> : illustrate how CVSS works and to do what-if
> scenarios.
> as i mentioned in another mail to you, how do you
> classify a remote
> overflow? if you use the standard CIA measure, it is
CVSS is still maturing. As more vulnerabilities are
"scored" and the model refined and elaborated on, it
should become easier to consistently score
vulnerabilities.
Anyone care to select 5 CVE vulns and compare how we
rate them?
Brian Erdelyi
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
https://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]