I agree, and NIST provides good guidance on relative severity levels in the form of CVSS Base Scores for most vulnerabilities. You can adjust the scores to your environment and according to changes in the threat level by using your own customized CVSS Temporal and Environmental Scores. This is exactly how CVSS is designed to operate: a vendor or trusted third party provides a basic evaluation using common criteria for exploitability, complexity, and type of impact factors, and you adjust that evaluation according to your own systems and controls. The result will almost always be better than anything a single organization could come up with on their own.
Mapping the resulting CVSS scores to your own severity levels (low, medium, high, critical, or whatever) and what this requires in terms of response is something each organization has to decide for itself based on things like resource availability, risk tolerance, etc. See http://nvd.nist.gov/cvss.cfm for more information. Jerry Heidtke, CISSP Lead Information Security Analyst MGIC Information Security 414-347-6837 "Datdamwuf Datdamwuf" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 06/26/2006 03:31 PM To [EMAIL PROTECTED], [email protected] cc Subject Re: Severity classification NIST has a nice database that gives you all of the references for a particular vuln, it can be searched using the CVE number. SANS has a nice explanation of different risk levels that can be helpful in coming up with the actual risk on a given network. There are so many variables dependent on the environment of the host that you have to determine severity seperately for each network you evaluate. ~D >From: [EMAIL PROTECTED] >To: [email protected] >Subject: Re: Severity classification >Date: Mon, 26 Jun 2006 09:38:41 -0500 > >[EMAIL PROTECTED] wrote on 06/24/2006 08:24:40 AM: > > > Hi Folks, > > > > I am wondering if there any common source which defines the severity > > level of any vulnerability stating that its high/medium or > > informational or every vendor who develop VA tools classify the > > severity levels on their own? Thanks in advance > >We have found that we can only use other people's severity ratings as a >guide. We have to rank them ourselves based on our applications and >architectures. We have a committee that meets weekly to review new *nix >vulnerabilities. (Our Microsoft folks meet just after Microsoft's security >announcements, usually on Black Tuesday.) > >While nothing is perfect, we tend to use CVE ( cve.mitre.org ) for >information on each vulnerability (except for Microsoft and some other >vendor-specific vulnerabilities.) > >Tom > >Toto, I don't think we're in the mainframe world any more. >_______________________________________________ >Nessus mailing list >[email protected] >http://mail.nessus.org/mailman/listinfo/nessus _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
