What is Vulnerability ..?
A defect in a system that allows unauthorized access by exploiting the defect. Generally, these defects occur due to errors in the design, development, or implementation of a system. This vulnerability refers to weaknesses in hardware, software, or procedures.
What is Threat .?
Threats that have potential actions to steal or corrupt data, disrupt business, or create general harm. To prevent that from happening. In general, there are three categories.
Intentional threats: Such as malware, ransomware, phishing, malicious code, and improperly accessing user login credentials are all examples of intentional threats. They are activities or methods that bad actors use to compromise security systems or software.
Unintentional threats: often caused by human error. In cybersecurity, someone might leave a server door unlocked or leave sensitive information unmonitored. An employee could forget to update their firewall or anti-virus software. Current and even former employees may also have unnecessary access to sensitive data, or be unaware of a threat. (Which is why employee training is so important).
Natural threats: While acts of nature (floods, hurricanes, tornadoes, earthquakes, etc.) are not usually related to cybersecurity, they are unpredictable and can potentially damage your assets.
What is Risk …?
The chance of asset loss, threat exposure, and potential damage from a cyberattack. It is basically the meeting point between threat and vulnerability. The risk of losing intellectual property and sensitive information has increased recently. Therefore, organizations ensure the best security measures for data protection. Risk management is gaining importance among cyber security professionals. This includes examining the potential or probability of negative events and assessment of the damage that may be caused due to a breach or attack.
Risk = Threat * Vulnerability
What is Severity ???
Here I discuss a little about how to determine the severity of bug findings using the Common Vulnerability Scoring System or CVSS. The Common Vulnerability Scoring System is an open source industry standard for assessing the severity of system security vulnerabilities.
Notes : Severity Scoring in this section is about Technical Scoring, dont about Business
There are at least 8 criteria that are assessed to determine the severity of a gap or vulnerability found, namely Attack Vector (AV), Attack Complexity (AC), Privileges Required (PR), User Interaction (UI), Scope (S), Confidentiality ( C ), Integrity (I), and Availability (A).
- Attack Vector (AV)
How to access or exploit objects that have vulnerabilities. There are 4 categories :
- Network (N)
When you can access or exploit a target remotely, without having to be on the same network.
- Adjacent (A)
When you have to take a special approach to access the target you want to exploit. For example, you must be on the same network or you must use a VPN (Virtual Private Network) to access the target.
- Local (L)
The target cannot be exploited from the network and can only be exploited by interacting directly with the target, for example remotely using SSH.
- Physical (P)
An exploit that can only be performed when having physical access to the target.
2. Attack Complexity (AC)
Difficulty level for the exploitation of predefined targets. There are only 2 ratings to choose from:
- Low (L)
- High (H)
When we successfully exploit a vulnerability without any difficulty.
Case in point: The pentester finds a SQL Injection vulnerability and it can be executed directly using sqlmap or, the pentester finds a vulnerability based on a CVE and the exploit is publicly available.
High (H)
When the exploitation of a vulnerability is successful with the preparation and control of a pentester.
3. Priveleges Required (PR)
It requires at least certain credentials to successfully exploit the vulnerability on the target. There are 3 ratings:
- None (N)
when the exploit is successful without requiring credentials on the object.
Case in point: XSS vulnerability found in the search feature of the target website that can be executed without logging in.
- Low (L)
When exploitation is successful, at least a low-privilege user must have access to the target.
Case in point: XSS vulnerability found in the edit user profile feature on a website.
- High (H)
When the exploit is successful but requires access by a highly credentialed user.
Case in point: A pentester finds an RCE vulnerability on a target website by bypassing the upload feature on a website. However, the upload feature can only be accessed by users with admin privileges and cannot be accessed using users with lower levels.
4. User Interaction (UI)
Whether or not interaction from other users is required to make the attack or exploit successful. There are two rating options to choose from:
- None (N)
When an exploit is successfully performed without the need for interaction from other users.
Case in point: To perform privilege escalation through a vulnerable kernel, the pentester can directly execute localroot because it already has access to the TTY shell.
- Required (R)
Exploitation is successful when there is interaction from other users.
Case in point: To obtain data from another user using a CSRF vulnerability, the other user must click on a link containing a CSRF script that has been prepared by the pentester.
5. Scope (S)
Whether the scope of the affected object changes when the exploit is successful. Rating that can be selected:
- Unchanged (U)
The affected scope object does not change when the exploit is successful.
Case example: When an attacker performs a DDoS attack on an application, the application that is being targeted is affected by the attack.
- Changed ( C )
The scope of the affected object changes when the exploit is successful.
Example: The scope of an XSS attack is Changed because even though the vulnerability is the application under test, the user’s browser is affected.
Next we will discuss the impact metrics of the exploit including Confidentiality ( C ), Integrity (I), and Availability (A). And this is usually the “spearhead” for determining severity because even though exploitation is easy to do but if there is no significant impact on the system, the final score of the assessment can be Low or even just Informational.
These CIA assessments are one in the same, and I will discuss them one by one.
6. Confidentiality ( C )
Confidentiality here concerns the confidentiality of the affected data after a successful exploitation. The rating is divided into three, namely:
- None (N)
There is no confidentiality of the data affected by the discovered Bug.
Case in point: Pentester finds a Directory Listing but it only contains static files such as image files and javascript that are loaded by the object being tested.
- Low (L)
These Bug can lead to data leakage, but the attacker has no control over what data will be affected.
Case in point: A pentester discovers an IDOR Bug in an application that allows him to view other users’ data.
- High (H)
This Bug allows the attacker to control what data can be obtained through exploitation.
Case in point: A pentester discovers an LFI gap that allows access to data in an affected object. Or, the pentester finds a Directory Listing gap that contains database backups.
7. Integrity (I)
This Integrity metric is to assess the integrity of the protected data of the affected object. The rating is divided into three namely :
- None (N)
The perpetrator cannot modify the data through the exploit.
Case in point: DDoS attack.
- Low (L)
The impact of the discovered loophole allows the attacker to modify some of the data of the affected object. The data modification does not have a serious direct impact on the target.
Case example: A pentester finds an XSS vulnerability on the target website by modifying the value of a vulnerable file, but the “end goal” of XSS is not that, and the impact is more on the user who accesses, not on the application itself.
- High (H)
This Bug allows the attacker to control what data can be modified after a successful exploit. And directly impact the application under test.
Case in point: Pentester found Bug a price tampering on an online shop website, and successfully checked out an item with a price of Rp.0.
8. Availability (A)
This metric assesses the availability of vulnerable components. There are three ratings to choose from, namely :
- None (N)
The availability of data in the application is not compromised by the gap.
Case in point: A pentester finds a vulnerability in a directory listing that contains important data of the application’s users. Although the Confidentiality of the finding may be High, the Avaliability is None.
- Low (L)
The impact of the discovered Bug makes the application resources slightly compromised.
Case in point: Pentester found an HTML Injection Bug that caused some pages of the component to be compromised.
- High (H)
This loophole allows the attacker to control the availability of the affected object.
Case in point: A pentester discovered an RCE vulnerability in the system and was able to remove an application component that made the application inaccessible.
Correlation between Threat, Vulnerability, Risk, and Severity is
Correlation between Threat, Vulnerability, Risk, and severity is the existence of a relationship where if there is Vulnerability it might become a threat and will pose a risk to the company, and how to find out the severity can use the help of the CVSS tool.
Notes: To assess, we must look at the impact that will occur to the application itself. The same vulnerability may result in different scores. For example, Integrity for finding a Directory Listing that contains important user data and a Directory Listing that only contains static files is certainly different.
Maybe this is an explanation that can be shared this time, maybe if there is something wrong it can be corrected. Or if there is something missing, you can add it.
Thanks For All…
