mailing list archives
Re: smaller errors eroding situational awareness.
From: Ron Gula <rgula () tenable com>
Date: Fri, 16 Aug 2013 19:36:08 +0000
Examples like this are why I push the "exploitability" field as a form
of prioritization for vulnerabilities. I've seen to many organizaitons
debate a CVSS score with our support team so they can get it moved off
of their mandate to patch everything with a CVSS score of X or higher.
On 8/16/13 2:38 PM, "Dave Aitel" <dave () immunityinc com> wrote:
Related Twitter threads here:
One thing you should pay attention to, as someone who works in IT
security is how the various assumptions change over time. It used to be
that managing your network security was how well you used a few simple
product types. Essentially we had network sniffers and network scanners
of various sorts, along with the signature-based AVs. Most enterprises
remember having tons of network sniffer monkeys looking at logs and
sniffer alerts and then trying to use that to generate some level of
activity. But that turns out to be mindbogglingly expensive, and
ineffective as we have all learned the hard way.
This then changed into how well you integrate and analyze information
from these tools. The SIEM was born. The downside being that sorting
through massive amounts of noise to find tiny signals is by definition
expensive, no matter how good your tool is.
This is also true on the assessment side - small errors can add up to
cloud your situational awareness. For example, in the below referenced
Twitter stream you can see a penetration tester scanning a network using
a vulnerability assessment tool, which then marks a potential ColdFusion
bug as "medium". Part of this is because the National Vulnerability
Database marked it as having a CVSS score of 7.5, despite it being a
remote, unauthenticated, SYSTEM-level vulnerability.
That said, if all you had was the Vulnerability Assessment data, you
would probably relegate fixing this weakness to "when I get around to
it", which would explain all the nicely vulnerable ColdFusion boxes on
So my conclusion here is that despite all thoughts to the contrary, CVSS,
the NVD, and hence vulnerability risk rankings, do, in fact matter.
As a post-script, Nessus has updated their score on this particular
vulnerability. I emailed the NVD about it too.
Dailydave mailing list
Dailydave () lists immunityinc com