At 12:03 2002-02-15 -0500, you wrote:
Is there any definition for these categories/types?
Is a High-riskFactor Warning more worrisome than a Medium-riskFactor Hole?
Thanks,
Roy Chenoweth, CISSP
(317) 299-2525 x362
Roy!
I don't want to ridicule or try to make a joke, BUT
What do YOU think is more "worrisome"?
Over to your first question, I "stole" the following text from
X-force/ISS site, I think the definition is applicable on the
CVE/Nessus reports remarks, though during a quick search
the closest i came was
http://cve.mitre.org/about/terminology.html
Please - correct me quick if I am wrong about this.
/Eppis
****************
_____
_____
Risk Factor Key:
High Any vulnerability that provides an attacker with immediate
access into a machine, gains superuser access, or bypasses
a firewall. Example: A vulnerable Sendmail 8.6.5 version
that allows an intruder to execute commands on mail server.
Medium Any vulnerability that provides information that has a high
potential of giving system access to an intruder. Example:
A misconfigured TFTP or vulnerable NIS server that allows
an intruder to get the password file that could contain an
account with a guessable password.
Low Any vulnerability that provides information that could
potentially lead to a compromise. Example: A finger that
allows an intruder to find out who is online and potential
accounts to attempt to crack passwords via brute force
methods.
______
About Internet Security Systems (ISS)
Internet Security Systems is a leading global provider of security
management solutions for the Internet, protecting digital assets and
ensuring safe and uninterrupted e-business. With its industry-leading
intrusion detection and vulnerability assessment, remote managed
security services, and strategic consulting and education offerings, ISS
is a trusted security provider to more than 8,000 customers worldwide
including 21 of the 25 largest U.S. commercial banks and the top 10 U.S.
telecommunications companies. Founded in 1994, ISS is headquartered in
Atlanta, GA, with additional offices throughout North America and
international operations in Asia, Australia, Europe, Latin America and
the Middle East. For more information, visit the Internet Security
Systems web site at www.iss.net or call 888-901-7477.
Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved
worldwide.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express consent of
the X-Force. If you wish to reprint the whole or any part of this Alert in
any other medium excluding electronic medium, please e-mail [EMAIL PROTECTED]
for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.
X-Force PGP Key available at: sensitive.php
as well as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to: X-Force
[EMAIL PROTECTED] of Internet Security Systems, Inc.
- Holes, Warning, Notes Chenoweth, Roy
- Rikard Epstein
