[Owasp-testing] Are the Risk Rating Wiki Pages Broken?
rick.mitchell at bell.ca
rick.mitchell at bell.ca
Tue Aug 20 14:54:21 UTC 2013
We need to keep in mind that Web App VA or PenTest shouldn't be trying to take the place of a true Threat and Risk Assessment. The activities should be completely separate. As VA or PenTest contractors we're likely to have all the details necessary to perform true TRA type risk calculations. I suspect this is why the wiki content suggests that the included methodology can (and should) be expended/extended as companies/organizations see fit.
From: Marco Morana [mailto:marco.m.morana at gmail.com]
Sent: August 20, 2013 10:35 AM
To: Jim Manico
Cc: Mitchell, Rick (6030318); owasp-testing at lists.owasp.org
Subject: Re: [Owasp-testing] Are the Risk Rating Wiki Pages Broken?
Jim, I think it would worth also to have the opinion of whom put the risk model together in the first place, perhaps it was not discussed and reviewed? Cheers, Marco
Sent from my iPad
On 20 Aug 2013, at 15:25, Jim Manico <jim.manico at owasp.org> wrote:
> I think there is a more fundamental problem with the mathematics here,
> and I've strayed away from this guide.
> The different impact factors are •averaged• together for a final
> impact score, which absolutely makes no sense.
> You can have a "loss of confidentiality" that is "off the chart" and
> still have an overall low impact factor.
> I think "use the max value per category"
> is more appropriate.
> Credit for this concern goes to Josh Sokol.
> Jim Manico
> (808) 652-3805
> On Aug 20, 2013, at 3:12 PM, Marco Morana <marco.m.morana at gmail.com> wrote:
>> Rick, sure it make sense to update it, let me know if you need my contribution as well as to discuss how, cheers Marco
>> Sent from my iPad
>> On 20 Aug 2013, at 14:05, "rick.mitchell at bell.ca" <rick.mitchell at bell.ca> wrote:
>>> Hi Marco, while I understand and agree with some of the arguments both you and Yvan have made I'm really just looking for, either: 1) confirmation from the list that a mistake has been made at some point (see below), or 2) a suggestion as to who "owns" the risk rating methodology content that I should maybe be talking to instead.
>>> (I've CC'd Jeff on this reply as he seems to have been involved in the creation of said wiki content, based on the wiki history).
>>> The change seems to have occurred between these edits:
>>> -----Original Message-----
>>> From: Marco Morana [mailto:marco.m.morana at gmail.com]
>>> Sent: August 19, 2013 3:17 PM
>>> To: Mitchell, Rick (6030318)
>>> Cc: owasp-testing at lists.owasp.org
>>> Subject: Re: [Owasp-testing] Are the Risk Rating Wiki Pages Broken?
>>> In my opinion the skill level of the threat agent is a variable of threat agent capability and ease of discover and exploit of the vulnerability. The other factors to consider for threat agent probability are the threat agent motivations. The threat agent skills would matter in the case the vulnerability is not easy to exploit (easiness of exploit is low) such ad when it will require special skills on behalf of the attacker (or attackers) to conduct the exploit as well as capabilities (special tools). In that case, the higher the skill required and the use of not common attacking techniques and tools the lower the probability as the number of skilled and capable threat agent population able to perform the exploit would be low (e.g. script kiddies skills are low if what it takes to exploit is grabbing a pen test tool or free attack tool to exploit a common vulnerability and the probability of that exploit is high) the skill level therefore need to be commiserated to the di!
>> fficulty of the exploit such as in the case the vulnerability is not a common one (e.g. OWASP T10) and requires special knowledge and tools of the threat agent to exploit it.
>>> cheers, Marco M.
>>> Sent from my iPad
>>> On 19 Aug 2013, at 17:47, "rick.mitchell at bell.ca" <rick.mitchell at bell.ca> wrote:
>>>> I just had a client ask about: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
>>>> It seems at some point in the last two years that the skill level ratings have been reversed. Such that a skilled attacker has a lower rating that an unskilled attacker. This doesn't make any logical sense.
>>>> At a high level the wiki defines "Risk = Likelihood * Impact"
>>>> If Threat Agent goes towards the Likelihood part of the calculation a skilled individual should be of greater concern than an unskilled individual. If one's "most likely" attacker is skilled then their risk should be higher than if their "most likely" attacker is unskilled. So someone with "Security penetration skills" should be a 9 not a 1 (raising the risk calc)... On the flip side someone with "no technical skills" should be a 1 not a 9 (thus reducing my risk calc).
>>>> From the wiki page:
>>>> "The goal here is to estimate the likelihood of a successful attack by this group of threat agents. Use the worst-case threat agent.
>>>> Skill level
>>>> How technically skilled is this group of threat agents? Security penetration skills (1), network and programming skills (3), advanced computer user (4), some technical skills (6), no technical skills (9)"
>>>> Further down the page: "Then you simply take the average of the scores to calculate the overall likelihood."
>>>> So using the numbers in the wiki table you come up with 4.375, if you increase the skill level value (thus decreasing the attacker's actual skill as defined earlier in the page) your risk rating is increased:
>>>> 9|2|7|1|3|6|9|2 = AVG of 4.875 (where 9 is defined as unskilled) which would pull your whole risk rating for an issue up.
>>>> 1|2|7|1|3|6|9|2 = AVG of 3.875 (where 1 is defined as highly skilled) which would drag your whole risk rating for an issue down.
>>>> Is the methodology trying to state that you're unlikely to be attacked by skilled individuals? Wouldn't that be a function of motivation or opportunity not skill? Meaning that while a highly skilled individual might pose greater risk from a skill perspective they may not be motivated or have opportunity to carry out and exploit of the issue in question.
>>>> Rick Mitchell
>>>> Security Analyst, Security Testing and Incident Response Team
>>>> Bell Business Markets
>>>> Phone: 613-785-4019
>>>> Email: rick.mitchell at bell.ca
>>>> Owasp-testing mailing list
>>>> Owasp-testing at lists.owasp.org
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
More information about the Owasp-testing