Sunday Jul 24, 2011

CVSS Worksheet

Common Vulnerability Scoring System (CVSS) is commonly used to rate security vulnerabilities. It helps system administrators prioritize response to security holes. Oracle provides CVSS ratings and base scores for most vulnerability fix announcements. You can calculate the score for a vulnerability using NIST CVSSv2 calculator. To use the calculator one must be familiar with CVSS v2.0 guide.

Here is an attempt to provide a simple, intuitive and illustrated worksheet to calculate CVSS v2 base score:

You can access the standalone CVSSv2 Worksheet here.

Monday Jul 28, 2008

Notes from the 20th FIRST conference in Vancouver

I was at 20th FIRST Conference Vancouver last month. Forum of Incident Response and Security Teams is a community of folks who work behind the scenes to keep the world running - from people securing your banks to people protecting your national infrastructure. Here are pointers to some of the interesting topics from the conference:
  • Fast Flux networks Fast Flux nets are where compromised computers are used to temporarily host malware.

  • A talk on "Applied Security Visualization" demoed state of art of network visualizations and tools. There is a live CD project called DAVIX which aggregates the tools.

  • An interesting demo was of "RFID hacking" - where Adam Laurie demonstrated duplicating company badges and electronic passports with gadgets that cost less than $100. He could take his scanner near a passport with RFID (aka E-passport) and display holder's information including passport photo

  • A Keynote presentation from former security chief of OLPC (One Laptop per child) talked about features of OLPC as something as a great advancement in security - for eg. the ability that only a open dialog box can open files! (BTW, that sounds very similar to what we call in the UNIX setuid - that only password command can change passwords)

  • A presentation about Mozilla development process talked about how testing is done: they are always running enormous number of test suites against the latest tree. They don't rely on the developers to do the testing for changes.

  • Honey spiders - that crawl spam and phishing sites in search of malware and execute or analyze them.

  • Atanai Sousa showed how a phishing malware operated in Brazil, giving insight into how the spyware and malware have an upper hand in capturing your bank passwords weather you type them or use any other practically useless mechanisms invented to circumvent keyboard spys.

Overall it was good listening to stories direct from people in the battleground, to get an understanding of real world problems and threats they face. It also gave a good opportunity to meet product security folks other companies and CERT folks from around the world - many whom we communicate over email daily.

About


sayings of an hearer

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today