[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

Marco Morana marco.m.morana at gmail.com
Mon Aug 19 19:17:04 UTC 2013


In my opinion the skill level of the threat agent is a variable of threat agent capability and ease of discover and exploit of the vulnerability. The other factors to consider for threat agent probability are the threat agent motivations. The threat agent skills would matter in the case the vulnerability is not easy to exploit (easiness  of exploit is low) such ad when it will require special skills on behalf of the attacker (or attackers) to conduct the exploit as well as capabilities (special tools). In that case, the higher the skill required and the use of not common attacking techniques and tools the lower the probability as the number of skilled and capable threat agent population able to perform the exploit would be low (e.g. script kiddies skills are low if what it takes to exploit is grabbing a pen test tool or free attack tool to exploit a common vulnerability and the probability of that exploit is high) the skill level therefore need to be commiserated to the difficulty of the exploit such as in the case the vulnerability is not a common one (e.g. OWASP T10) and requires special knowledge and tools of the threat agent to exploit it. 

cheers, Marco M.

Sent from my iPad

On 19 Aug 2013, at 17:47, "rick.mitchell at bell.ca" <rick.mitchell at bell.ca> wrote:

> I just had a client ask about: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
> 
> It seems at some point in the last two years that the skill level ratings have been reversed. Such that a skilled attacker has a lower rating that an unskilled attacker. This doesn't make any logical sense. 
> 
> At a high level the wiki defines "Risk = Likelihood * Impact"
> 
> If Threat Agent goes towards the Likelihood part of the calculation a skilled individual should be of greater concern than an unskilled individual. If one's "most likely" attacker is skilled then their risk should be higher than if their "most likely" attacker is unskilled. So someone with "Security penetration skills" should be a 9 not a 1 (raising the risk calc)... On the flip side someone with "no technical skills" should be a 1 not a 9 (thus reducing my risk calc). 
> 
> From the wiki page:
> "The goal here is to estimate the likelihood of a successful attack by this group of threat agents. Use the worst-case threat agent.
> 
> Skill level
>    How technically skilled is this group of threat agents? Security penetration skills (1), network and programming skills (3), advanced computer user (4), some technical skills (6), no technical skills (9)"
> 
> Further down the page: "Then you simply take the average of the scores to calculate the overall likelihood."
> 
> So using the numbers in the wiki table you come up with 4.375, if you increase the skill level value (thus decreasing the attacker's actual skill as defined earlier in the page) your risk rating is increased:
> 9|2|7|1|3|6|9|2 = AVG of 4.875 (where 9 is defined as unskilled) which would pull your whole risk rating for an issue up.
> 1|2|7|1|3|6|9|2 = AVG of 3.875 (where 1 is defined as highly skilled) which would drag your whole risk rating for an issue down.
> 
> Is the methodology trying to state that you're unlikely to be attacked by skilled individuals? Wouldn't that be a function of motivation or opportunity not skill? Meaning that while a highly skilled individual might pose greater risk from a skill perspective they may not be motivated or have opportunity to carry out and exploit of the issue in question.
> 
> Rick
> 
> --------------------------------
> Rick Mitchell 
> Security Analyst, Security Testing and Incident Response Team
> Bell Business Markets
> Phone: 613-785-4019
> Email: rick.mitchell at bell.ca
>   
> 
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing


More information about the Owasp-testing mailing list