[Dailydave] The CrateMaster2000 of Security.
Ron Gula
rgula at tenablesecurity.com
Sat Jan 27 07:50:10 EST 2007
Robert Graham wrote:
> --- Anton Chuvakin <anton at chuvakin.org> wrote:
>> So, I am curious, how is CVSS like a CrateMaster 2000?
>
> You can't create definitive metrics for things like this.
>
> Down the road from road from Singapore is Kuala Lumpur (KL), home to the
> Pentronas Towers. After their completion in 1998, they were hailed as the
> "World Tallest Building" (taking the honor away from the Sears Tower in
> Chicago). This designation depended upon changing the criteria for what it
> meant to be the world's tallest. You'd think that such criteria would be pretty
> simple and objective, just measure from top to bottom. In reality, it's complex
> because you can't define where the bottom is, where the top is, or even whether
> something is a building. After looking at the following diagram, you'll see why
> many people still consider the Petronas towers quite a bit shorter than the
> Sears Tower:
>
> http://www.skyscraperpage.com/diagrams/?25384417
>
> CVSS is the same way. It tries to reduce something to a single number (or set
> of numbers) that is inherently complex. It gives the appearance of scientific
> legitimacy to something that is as arbitrary as a game or movie review. ("I
> give this vuln two thumbs up!!!").
>
> The fundamental problem with cyber-security metrics is that the things we can
> easily quantify are rarely interesting, and the things that are interesting are
> hard to quantify. The pseudo-science of security metrics goes ahead and
> quantifies them anyway.
I disagree. Regardless of how you measure the height of the sears tower
and the Pentronas towers, they are both really, really tall and are
easily the tallest buildings in their cities.
I'm happy with CVSS for classifying vulnerabilities. I agree there still
is some subjectiveness to scoring a vulnerability, but most of this
comes from how familiar or accurate a person performing the score is
with it. And if there is disagreement with the score, the plugin-values
for how the score was computed are also available.
I've seen some organizations say they will only fix vulns with scores
larger than "x". I think that is short sighted, but better than nothing.
I'd be more comfortable with lower scores for critical systems, systems
that held certain types of sensitive data and so on.
Ron Gula, CTO
Tenable Network Security
More information about the Dailydave
mailing list