Home page logo

dailydave logo Dailydave mailing list archives

Re: smaller errors eroding situational awareness.
From: Kristian Erik Hermansen <kristian.hermansen () gmail com>
Date: Fri, 16 Aug 2013 12:16:55 -0700

Forgive the top post...

Good stuff. The excellent Carnal0wnage blog has many posts entitled "From
LOW to PWNED" that are highly entertaining to read because so many admins
leave the low rated risks exposed, thinking they won't get popped with them
;) Encourage everyone to check those out!

But why would NVD or Nessus change the CVSS Base Score unless they got it
wrong? It would make more sense to change the TEMPORAL CVSS scoring
On Aug 16, 2013 11:45 AM, "Dave Aitel" <dave () immunityinc com> wrote:

Related Twitter threads here:

One thing you should pay attention to, as someone who works in IT security
is how the various assumptions change over time. It used to be that
managing your network security was how well you used a few simple product
types. Essentially we had network sniffers and network scanners of various
sorts, along with the signature-based AVs. Most enterprises remember having
tons of network sniffer monkeys looking at logs and sniffer alerts and then
trying to use that to generate some level of activity. But that turns out
to be mindbogglingly expensive, and ineffective as we have all learned the
hard way.

This then changed into how well you integrate and analyze information from
these tools. The SIEM was born. The downside being that sorting through
massive amounts of noise to find tiny signals is by definition expensive,
no matter how good your tool is.

This is also true on the assessment side - small errors can add up to
cloud your situational awareness. For example, in the below referenced
Twitter stream you can see a penetration tester scanning a network using a
vulnerability assessment tool, which then marks a potential ColdFusion bug
as "medium". Part of this is because the National Vulnerability Database
marked it as having a CVSS score of 7.5, despite it being a remote,
unauthenticated, SYSTEM-level vulnerability.

That said, if all you had was the Vulnerability Assessment data, you would
probably relegate fixing this weakness to "when I get around to it", which
would explain all the nicely vulnerable ColdFusion boxes on the Interwebs.

So my conclusion here is that despite all thoughts to the contrary, CVSS,
the NVD, and hence vulnerability risk rankings, do, in fact matter.


As a post-script, Nessus has updated their score on this particular
vulnerability. I emailed the NVD about it too.

Dailydave mailing list
Dailydave () lists immunityinc com

Dailydave mailing list
Dailydave () lists immunityinc com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]