We're almost into the third decade of the 21st century and we're still grading security bugs out of 10 like kids. Why?
Infosec veteran Marc Rogers on why we need a better system to rate vulnerabilities
Disclosure The way we rate the severity of computer security vulnerabilities and bugs needs to change to better protect people and businesses from malware and cyber-crime.
So says Marc Rogers, executive director of cybersecurity at Okta and head of security at the world's biggest hacking conference DEF CON.
Speaking to The Register at Okta's Disclosure conference in San Francisco this week, Rogers reckoned today's methods of scoring and classifying security vulnerabilities reflect a dated system that didn't take into account the way that modern attackers operate.
"The challenge is the whole vulnerability management space has been evolving," Rogers said, "but it is being outpaced by the evolution of how we leverage attacks."
In particular, Rogers said, approaches such as the CVSS scoring system have led to an overemphasis on specific qualities of single vulnerabilities in isolation, and ignored the wider context, threat model, and potential for miscreants to exploit security weaknesses in a chain to cause unexpected damage. The old system of scoring security blunders from 0 (benign) to 10 (really bad) with various flags (eg, remotely or locally exploitable) just isn't going to cut it any more, in other words.
For example, while a business would, ideally, swiftly patch a remote-code execution flaw that has a high CVSS score, lower-scored bugs, such as elevation-of-privilege and information-disclosure holes, may not be treated as a priority.
And yet hackers could, for instance, exploit a data-leak vulnerability to obtain enough information to log into a system, and then exploit the privilege escalation flaw to fully hijack that box. Thus, the two low-scoring bugs could wind up as bad if not worse than the scary remote-code execution flaw, and yet may not be seen as a priority due to their CVSS rating.
"It is complex, but there is nothing in the assessment process to deal with that," Rogers said. "It has lulled us into a false sense of security where we look at the score, and so long as it is low we don't allocate the resources."
Then there is the context of a bug. Rogers noted that, for example, a vulnerability that lets an attacker print text on a screen would barely move the needle in terms of a CVSS score. If that bug were to be exploited on, say, an in-flight entertainment screen or police signage, a scumbag could spark panic and chaos on a par with any simple system takeover.
Before you high-five yourselves for setting up that bug bounty, you've got the staff in place to actually deal with security, right?READ MORE
There are also cases where seemingly harmless or esoteric bugs become big headaches once hackers find creative uses for them. Rogers pointed to the Rowhammer attack, in which malware can alter data in memory that should be out of reach, as one such example. Flipping one or two bits in RAM doesn't sound too destructive – until you flip just the right bits in kernel memory to gain root privileges.
"Just because a bug only allows you to do one small function, you don't think about what the implications are," Rogers said. "If you had assessed it based on just flipping bits, you would have thought it was just a physical vulnerability."
While a solution will be hard to come by, Rogers believes the first step will be to take a wider view of how we classify vulnerabilities. Rather than simply look at the immediate results of an exploit, he sees the need to take into account what an exploit could mean for the rest of the system.
To do that, infosec staff will need to broaden their horizons and reach out to other communities.
"That kind of assessment requires intelligence from the system builder or operator to add that context," Rogers explained. "We need to come up with a more dynamic process that takes in the CVSS score, but also factors in knowledge from the system." ®