IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Intrusion Risk Assessment

From: "Nicole Nicholson" <nanicholson () hotmail com>
Date: Wed, 08 Jan 2003 09:11:16 -0800
Robert-
If you need a qualitative scale, then this one (I think from SANS) is a good way to go since it's as close to a standard as you are going to get.
However, if you can get away with a low/medium/high approach, I think you would be better off. I've found that the more levels of alerts you have the more confused people get. Take the red/blue/orange/hot pink/yellow/green/whatever scale they use for Homeland Security. Does anyone really know what they mean besides Tom Ridge?
As for assigning a definition to them (low/medium/high), you may want to consider bringing the alerts "up a level in management". For example, I've seen companies define "high" alerts as "potential significant impact to company's stock value and/or perceived reputation". In that way a "high" alert all means the same thing, whether it is generated by an IDS or the CFO. You then need to map these alerts back to the technology. For example, a "technical" definition of a "high" IDS alert may be: An exploit was accomplished on a public facing web server. 

Hope this helps.

Cheers.

-Nicole


From: Robert Buckley <rbuckley () synapsemail com>
To: 'Rob Shein' <shoten () starpower net>, Robert_Huber () bankone com,focus-ids () securityfocus com 
Subject: RE: Intrusion Risk Assessment
Date: Tue, 7 Jan 2003 12:32:20 -0500

Many people like to use this equation:

Scale from -10 through +10
(lethality + criticality) - (net_defense + host_defense) = attack success
rate
where lethality is the level of compromise the attack offers
criticality defines the systems purpose, is it a core device or someone's
workstation etc.
net + host defense are self explanatory.

I.e.
Core Cisco router being attacked on the http port (There is a well known
vulnerability here)
(5 + 5) - ( 0 + 0 ) = 10
The probability of a successful attack is 10.
It was a lethal attack, on a core device, where I had no net defense, nor
any host defense.
Let change the view...

(5 + 5) - (5 + 5) = 0
The probability of a successful attack is 0.
It was a lethal attack, on a core device, but I have acl's denying port 80
to this device, and
the host doesn't run http services at all.

One more example:
netbios name mangling attack against a workstation
(2 + 1) - (0 + 5) = -2
lethality is a denial of service, criticality is low because its a
workstation
I have no net defense but up to date on the patch that prevents the attack.
The probability of success on this attack is -2

Of course, its up to the individual to put values on the parameters, so one
analyst may have a
different result than the next.

Hope this helps you.
rb.


-----Original Message-----
From: Rob Shein [mailto:shoten () starpower net]
Sent: Monday, January 06, 2003 7:36 PM
To: Robert_Huber () bankone com; focus-ids () securityfocus com
Subject: RE: Intrusion Risk Assessment


The problem with this is, define "damage."  IDS systems are not aware of
the nature of what they defend.  An IIS exploit might be utterly useless
against an apache web server, but the IDS is not intrinically aware of
which servers are apache and which are IIS.  Add to that the fact that
such severity levels as "minor damage" or "minimal access to recover,"
are dependent upon the information stored on a machine (which no current
IDS could ever be cognizant of) as well as the role of that machine.

> -----Original Message-----
> From: Robert_Huber () bankone com [mailto:Robert_Huber () bankone com]
> Sent: Monday, January 06, 2003 12:54 PM
> To: focus-ids () securityfocus com
> Subject: Intrusion Risk Assessment
>
>
> Anyone know of any IDS risk assessment matrixes out there?
> I'm looking for something like the following:
>
> Rating                             Severity
> 1  No Damage                       a.      Not possible to exploit (or)
>                            b.      No damage (or)
>                            c.      Hoax
>
> 2 Harassment                       a.      Possible damage,
> unconfirmed (or)
>                            b.      Temporarily shuts down
> services and/or temporarily prevents access to information
>
> 3 Minor Damage                     a.      Short-term impact (or)
>                            b.      Exploit allows access
> to view files (or)
>                            c.      Minimal effort required
> to recover
>
> 4 Moderate Damage          a.      The exploit is easy to
> perform (or)
>                            b.      Important systems can
> be effected with administrative compromise (or)
>                            c.      Exploit allows full
> access to files (or)
>                            d.      Long-term effects,
> significant effort may be required to recover
>
> 5 Heavy Damage             a.      The exploit is easy to
> perform (and)
>                            b.      An exploit will cause
> severe damage to multiple computers (and/or)
>                            c.      Requires reinstallation
> or recovery from backup
>
>
> Robert Huber
> Bank One Information Security
> Phone: 302-282-2234
> Pager: 888-646-3502
>
>
>
> **********************************************************************
> This transmission may contain information that is privileged,
> confidential and/or exempt from disclosure under applicable
> law. If you are not the intended recipient, you are hereby
> notified that any disclosure, copying, distribution, or use
> of the information contained herein (including any reliance
> thereon) is STRICTLY PROHIBITED. If you received this
> transmission in error, please immediately contact the sender
> and destroy the material in its entirety, whether in
> electronic or hard copy format. Thank you
> **********************************************************************
>



_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus
Previous By Date Next
Previous By Thread Next

Current thread: