Economic Value of a threat

Is it sufficient to just benchmarks threats based on CVSS ratings or do we need to do something more to actually understand the threat better

Increasingly, IT Security professionals have begun to identify the economic value of a threat. The current vulnerability and threat rating methodology used by CVSS considers the following issues

1. Level of difficulty in accessing the vulnerable software interface
2. Impact that a successful attack has on the confidentiality, integrity, and availability of vulnerable systems
3. Public availability and reliability of exploit code
4. Availability of patches or workarounds

The profile of a hacker has evolved from a school dropout or a techie nerd to international crime syndicates exploiting threats for commercial reasons. Whereas an amateur hacker might take an interest in any security vulnerability that comes along, serious computer criminals are particularly interested in vulnerabilities that provide a significant return on investment. So, in reality threats reported by CVSS are high risk are very rarely exploited unless it makes commercial sense for hackers to do so.

IBM Internet Security Systems X-Force® research and development team has in its white paper identified the following instances when CVSS ratings have proved to be misnomers.

In the case of SNMPv3 HMAC Authentication Vulnerability (CVE-2008-0960), originally, NIST assigned this vulnerability a CVSS base score of 6.8, causing it to be overlooked by many security analysts. Later, the score was revised to 10 when the full implications became clear. This vulnerability is very easy to exploit, requiring just 256 packets to access any password protected SNMPv3 interface. Also, sample exploit code can be downloaded from the Internet. The security consequences can be significant depending on what SNMPv3 has been configured to do. Of particular concern are Internet routers, which attackers may be able to reconfigure using this interface to disrupt, spy on, or modify Internet traffic. Given how powerful this vulnerability is, how easy it is to exploit, and how large the installed base is for SNMP, one would expect to see widespread exploitation, or at least probing and attempts at exploitation, but very little has materialized. The reason is that even though this vulnerability is easy to exploit, successful attacks are difficult to monetize. This sort of vulnerability is a special case that does not fit easily into the business models of organized criminal groups who are attempting to profit from computer security problems.

On the other hand, The Microsoft Snapshot Viewer ActiveX Control vulnerability (CVE-2008-2463) was assigned a CVSS base score of 7.5 by NIST. It was first reported to the public by Microsoft on July 7th, 2008 when they received word of targeted exploitation in the wild. Unfortunately, this vulnerability is easy to reliably exploit, as it’s not a buffer overflow requiring the use of version specific offsets, but rather an interface that allows an arbitrary file to be downloaded from the Internet and placed anywhere on the victim’s computer, including the startup folder or in place of a system file. The Snapshot Viewer vulnerability was popular with attackers not just because it was easy to exploit, but because it fit directly into established processes and software tools that computer criminals employ. Vulnerabilities are frequently reported in ActiveX controls and attackers are used to incorporating exploits into Web exploit toolkits and using them to propagate spyware that collects financial credentials. So in this case, the exploitation cost was low and so was the monetization cost.

There are some cases that might have gone either way. In February, Microsoft patched a remote code execution vulnerability in ASP (CVE-2008-0075) which also had a CVSS score of 10. This attack provides complete control over a vulnerable Web server, something computer criminals are very interested in, as they can redirect users to their exploit toolkits. An exploit in CORE IMPACT demonstrates that the vulnerability is exploitable, and a public analysis of the bug by H.D. Moore provides some technical details. However, no public exploit has ever emerged till date.

Likewise cross site scripting though easy to identify and exploit are not as popular SQL injection as the latter enables attackers to take control of websites and redirect traffic making more commercial sense for them.

For security experts, they need to see more than mere CVSS ratings. While economic considerations are unique to each organization, CVSS benchmarks must be factored further by including the level of economic potential to the hacker to determine the risk level for each threat.