We're almost into the third decade of the 21st century and we're still grading security bugs out of 10 like kids. Why?

Infosec veteran Marc Rogers on why we need a better system to rate vulnerabilities

Disclosure The way we rate the severity of computer security vulnerabilities and bugs needs to change to better protect people and businesses from malware and cyber-crime.

So says Marc Rogers, executive director of cybersecurity at Okta and head of security at the world's biggest hacking conference DEF CON.

Speaking to The Register at Okta's Disclosure conference in San Francisco this week, Rogers reckoned today's methods of scoring and classifying security vulnerabilities reflect a dated system that didn't take into account the way that modern attackers operate.

"The challenge is the whole vulnerability management space has been evolving," Rogers said, "but it is being outpaced by the evolution of how we leverage attacks."

In particular, Rogers said, approaches such as the CVSS scoring system have led to an overemphasis on specific qualities of single vulnerabilities in isolation, and ignored the wider context, threat model, and potential for miscreants to exploit security weaknesses in a chain to cause unexpected damage. The old system of scoring security blunders from 0 (benign) to 10 (really bad) with various flags (eg, remotely or locally exploitable) just isn't going to cut it any more, in other words.

For example, while a business would, ideally, swiftly patch a remote-code execution flaw that has a high CVSS score, lower-scored bugs, such as elevation-of-privilege and information-disclosure holes, may not be treated as a priority.

And yet hackers could, for instance, exploit a data-leak vulnerability to obtain enough information to log into a system, and then exploit the privilege escalation flaw to fully hijack that box. Thus, the two low-scoring bugs could wind up as bad if not worse than the scary remote-code execution flaw, and yet may not be seen as a priority due to their CVSS rating.

"It is complex, but there is nothing in the assessment process to deal with that," Rogers said. "It has lulled us into a false sense of security where we look at the score, and so long as it is low we don't allocate the resources."

Then there is the context of a bug. Rogers noted that, for example, a vulnerability that lets an attacker print text on a screen would barely move the needle in terms of a CVSS score. If that bug were to be exploited on, say, an in-flight entertainment screen or police signage, a scumbag could spark panic and chaos on a par with any simple system takeover.


Before you high-five yourselves for setting up that bug bounty, you've got the staff in place to actually deal with security, right?


There are also cases where seemingly harmless or esoteric bugs become big headaches once hackers find creative uses for them. Rogers pointed to the Rowhammer attack, in which malware can alter data in memory that should be out of reach, as one such example. Flipping one or two bits in RAM doesn't sound too destructive – until you flip just the right bits in kernel memory to gain root privileges.

"Just because a bug only allows you to do one small function, you don't think about what the implications are," Rogers said. "If you had assessed it based on just flipping bits, you would have thought it was just a physical vulnerability."

While a solution will be hard to come by, Rogers believes the first step will be to take a wider view of how we classify vulnerabilities. Rather than simply look at the immediate results of an exploit, he sees the need to take into account what an exploit could mean for the rest of the system.

To do that, infosec staff will need to broaden their horizons and reach out to other communities.

"That kind of assessment requires intelligence from the system builder or operator to add that context," Rogers explained. "We need to come up with a more dynamic process that takes in the CVSS score, but also factors in knowledge from the system." ®

Broader topics

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022