The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
Difference between revisions of "SVG:Notes On Risk"
(Created page with '{{svg-header}} This provides some notes on Risk Categories The Risk Assessment Team (RAT) put each valid issue in 1 of 4 risk categories: *Critical *High *Moderate *Low The R…') |
|||
| Line 19: | Line 19: | ||
Vulnerabilities which have been exploited are classed as Incidents and should be handled according to [https://documents.egi.eu/public/RetrieveFile?docid=47&version=11&filename=EGI-MS405-IRTF-47-V12.pdf EGI CSIRT incident Handling procedure pdf file | Vulnerabilities which have been exploited are classed as Incidents and should be handled according to [https://documents.egi.eu/public/RetrieveFile?docid=47&version=11&filename=EGI-MS405-IRTF-47-V12.pdf EGI CSIRT incident Handling procedure pdf file ] by reporting to abuse (at) egi.eu See the [[EGI_CSIRT:Incident_reporting | EGI CSIRT Incident Reporting Wiki ]] | ||
See the [[EGI_CSIRT:Incident_reporting | EGI CSIRT Incident Reporting Wiki ]] | |||
| Line 28: | Line 26: | ||
An anonymous or unauthorized user can | *An anonymous or unauthorized user can gain root or admin access | ||
*An anonymous or unauthorized user can carry out widespread damage, data destruction or access to confidential data. | |||
A public exploit is available allowing unauthorized access. | *A public exploit is available allowing an authorized user to trivially gain root or admin access. | ||
*A public exploit is available allowing unauthorized access. | |||
| Line 41: | Line 40: | ||
Most Root or admin exploits where the vulnerability has not been made public, where no public exploit exists, and only an authorized user can exploit the problem. | *Most Root or admin exploits where the vulnerability has not been made public, where no public exploit exists, and only an authorized user can exploit the problem. | ||
Most cases of identity theft and impersonation. | *Most cases of identity theft and impersonation. | ||
Most cases in which an authorized user in principle can carry out | *Most cases in which an authorized user in principle can carry out | ||
widespread destruction of data belonging to another group | widespread destruction of data belonging to another group | ||
An Information leak which is illegal or embarrassing. | *An Information leak which is illegal or embarrassing. | ||
Grid Wide denial of service. | *Grid Wide denial of service. | ||
| Line 57: | Line 56: | ||
Potentially serious, but hard to exploit problems, where no actual exploit has been written and | *Potentially serious, but hard to exploit problems, where no actual exploit has been written and | ||
producing one is seen as difficult. | producing one is seen as difficult. | ||
e.g. hard to exploit buffer overflow | e.g. hard to exploit buffer overflow | ||
e.g. hard to exploit Race conditions | e.g. hard to exploit Race conditions | ||
Most types of command injection vulnerability. | *Most types of command injection vulnerability. | ||
Problem where a user can cause disruption to services, but are easily traceable. | *Problem where a user can cause disruption to services, but are easily traceable. | ||
== Low == | == Low == | ||
Denial of service at single site. | *Denial of service at single site. | ||
Vulnerability in actual software - but if configured as instructed not exploitable. | *Vulnerability in actual software - but if configured as instructed not exploitable. | ||
Potential vulnerability identified, but not clear how to exploit it. | *Potential vulnerability identified, but not clear how to exploit it. | ||
Revision as of 16:09, 8 November 2010
| Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Notes On Risk
This provides some notes on Risk Categories
The Risk Assessment Team (RAT) put each valid issue in 1 of 4 risk categories:
- Critical
- High
- Moderate
- Low
The RAT decides on the Risk category, according to their judgement. There is no fixed formula for setting the risk category. Various mitigating factors may lower the risk category, such as a vulnerability being difficult to exploit, or only being exploitable in rare circumstances. Certain situations may raise the risk category, such as a public exploit being available. The categories below are simply examples from past experience and discussions of which type of issue falls into which category.
Note that these properties refer to the potential for exploit, and have not been exploited.
Vulnerabilities which have been exploited are classed as Incidents and should be handled according to EGI CSIRT incident Handling procedure pdf file by reporting to abuse (at) egi.eu See the EGI CSIRT Incident Reporting Wiki
Critical
- An anonymous or unauthorized user can gain root or admin access
- An anonymous or unauthorized user can carry out widespread damage, data destruction or access to confidential data.
- A public exploit is available allowing an authorized user to trivially gain root or admin access.
- A public exploit is available allowing unauthorized access.
High
- Most Root or admin exploits where the vulnerability has not been made public, where no public exploit exists, and only an authorized user can exploit the problem.
- Most cases of identity theft and impersonation.
- Most cases in which an authorized user in principle can carry out
widespread destruction of data belonging to another group
- An Information leak which is illegal or embarrassing.
- Grid Wide denial of service.
Moderate
- Potentially serious, but hard to exploit problems, where no actual exploit has been written and
producing one is seen as difficult.
e.g. hard to exploit buffer overflow e.g. hard to exploit Race conditions
- Most types of command injection vulnerability.
- Problem where a user can cause disruption to services, but are easily traceable.
Low
- Denial of service at single site.
- Vulnerability in actual software - but if configured as instructed not exploitable.
- Potential vulnerability identified, but not clear how to exploit it.
| Issue Handling Summary |
Reporters |
SVG View |
Software Providers |
EGI MW Unit |
Deployment |
Notes on Risk |