Should Risk Impact (not likelihood or overall risk) be quantified by the initial impact, or should you quantify by eventual (potential) impact [on hold]

I am undertaking a risk assessment and trying to work out the risk impact on confidentiality for if a company employee (specifically a System Administrator) steals Server Hardware.

On the one hand the System Admin already h… Continue reading Should Risk Impact (not likelihood or overall risk) be quantified by the initial impact, or should you quantify by eventual (potential) impact [on hold]

CVSS Score Remote or Local Scenario

I have to deal with a lot of CVSSv2 and CVSSv3 scores for many, many years. What troubles me like forever is what default attack scenario shall be defined for a vulnerability. Let’s take a malicious Office document as an example. As soon as it is opened it is able to run code within the context of the user. There are two possible scenarios which lead to two different CVSSv3 vectors:

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L -> 6.3

This is the traditional scenario applied by malware which spreads via email over the Internet (AV:N). An user (victim) has to open the file willingly (UI:R) to initiate the code execution.

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L -> 5.3

This is the other scneario where a local attacker (AV:L) abuses the vulnerability to gain elevated privileges. No unwanted user interaction (UI:N) is required by the “victim” (because the attacker and the victim are not the same person in this scenario).

Which one is right or better? We tend to use the one with the higher score if it is a realistic scenario. This discussion applies to every vulnerability that might also be used willingly within a local attack scenario (e.g. most browser-based attacks).

Continue reading CVSS Score Remote or Local Scenario

Are there any Common Weakness Entries (CWEs) applicable for hardware security weaknesses?

I can’t seem to find a suitable CWE for classifying hardware-specific security weaknesses. Particularly, I’m looking for a CWE that applies to power glitching or clock glitching against a microcontroller or microprocessor.

Are there any C… Continue reading Are there any Common Weakness Entries (CWEs) applicable for hardware security weaknesses?