Friday, March 13, 2009

Is patch severity rating worthy of accuracy?

In security community, there is a common used standard to evaluate a patch or a vulnerability called CVSS. Many product vendors such as Cisco use it to give a score for patch of their product, and also security service vendors such as Nessus, Qualys and IBM ISS also use CVSS to calculate a score for patch when supporting their vulnerability scanner, IDS, or patch notification service delivery.

So here comes the problem. For a certain Microsoft patch, Microsoft uses its own rating method to give a severity rating, usually rated as Critical or Important. Security vendors can not just copy this rating because Critical patches are too often from Microsoft and they are not as so Critical as they appear. So other vendors create their own rating method too or just follow CVSS. Of course we can guess the result now: different vendors have different rating for the same patch! I don’t want to show examples here because everyone knows that.

Let’s back to enterprise environment, security team delivers patches with their severity rating. How could the rating be accurate because the community has different ratings around? In my opinion, only most critical vulnerabilities should be considered as High or Urgent rating, such as MS04-011 and MS08-067, which could lead system been took over easily by script kids and automatic worms. For other patches, should be considered as Medium or Low depends on its mechanism, no accuracy needed between Medium and Low. Operations team just needs to focus on High severity patches which could affect company business. This should be defined in company security policy with different time frame requirement. So policy maker should understand these facts to write proper policy make operations team’s life easier.

No comments:

Post a Comment