We help IT Professionals succeed at work.

questions on penetration testing: ratings & # days to resolve

sunhux
sunhux asked
on
Some questions were raised on our practice of penetration testing:

a) what are the various basis the ratings of Critical, High, Med, Low
    are being assigned?  External-facing servers' XSS will get High
    while internal servers (not exposed to public/Internet) XSS will
    get Med?   There's also various types of XSS that warrants
    different types of ratings?
    Curious how the various tools assign these ratings or in some
    cases, it's the human pentester who assigns it?

b) Is there any framework, eg: NIST, CREST or ...  that specifies
     the duration to resolve?
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
a) what are the various basis the ratings of Critical, High, Med, Low
    are being assigned?  External-facing servers' XSS will get High
    while internal servers (not exposed to public/Internet) XSS will
    get Med?   There's also various types of XSS that warrants
    different types of ratings?
    Curious how the various tools assign these ratings or in some
    cases, it's the human pentester who assigns it?
You'd have to ask the pentester. They may be using the ratings from the vendor. If you were talking about CVSS scores, then they aren't taking into account whether the system is externally facing or not.

b) Is there any framework, eg: NIST, CREST or ...  that specifies
     the duration to resolve?
Not really. This is generally an organizations decision. You will see MSSPs that have their own standards set, but even then, they'll still recommend customization where appropriate.
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:

a)  Risk assessment always is something fuzzy....  

Where High/Critical  describes you can very well loose all your data / it get copied elsewhere or you loose controll of your systems   and low will mean not that much risk. 

High Risks obvously are worse then low risks. 


b) well if a  neighbour warn you that your window isn't closed when you leave... are you going back to close it or are you thinking next week is early enough.... (hoping the burglars won't notice this as well).


Author

Commented:
>If you were talking about CVSS scores,
Can point me to any authoritative links for CVSS scorings
that recommend the # days for remediations?
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:

CVSS is a standard practice but be careful it is vulnerability centric so if there is gap in processes instead, these are weakness and not vulnerability driven (CVE). So the risk assessment adopted by your company need to comply. In any case, your policy should override the CVSS as it may be used for reference only. Anyway, CVSS has  calculator to aid you in deriving the level for that vulnerability  - below is just an example for internet facing system (hence 

Attack Vector
Network
The vulnerability is in the web application and reasonably requires network interaction with the server.
Attack Complexity
Low
Although an attacker needs to perform some reconnaissance of the target system, a valid session token can be easily obtained and many systems likely use well-known or default database names.
Privileges Required
None
An attacker requires no privileges to mount an attack.
User Interaction
Required
A successful attack requires the victim to visit the vulnerable component, e.g. by clicking a malicious URL.
Scope
Changed
The vulnerable component is the web server running the phpMyAdmin software.
The impacted component is the victim's browser.
Confidentiality Impact
Low
Information maintained in the victim's web browser can be read and sent to the attacker. This is constrained to information associated with the web site running phpMyAdmin, and cookie data is excluded because the HttpOnly flag is enabled by default by phpMyAdmin.
If the HttpOnly flag is not set, the Confidentiality Impact will become High if the attacker has access to sufficient cookie data to hijack the victim's session.
Integrity Impact
Low
Information maintained in the victim's web browser can be modified, but only information associated with the web site running phpMyAdmin.
Availability Impact
None
The malicious code can deliberately slow the victim's system, but the effect is usually minor and the victim can easily close the browser tab to terminate it.

PCI DSS has guidance on the scoring approach which is alluding to CVSS too.

6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as high, medium, or low) to newly discovered security vulnerabilities. Note: Risk rankings should be based on industry best practices as well as consideration of potential impact. For example, criteria for ranking vulnerabilities may include consideration of the CVSS base score, and/or the classification by the vendor, and/or type of systems affected. Methods for evaluating vulnerabilities and assigning risk ratings will vary based on an organizations environment and risk-assessment strategy. Risk rankings should, at a minimum, identify all vulnerabilities considered to be a high risk to the environment. In addition to the risk ranking, vulnerabilities may be considered critical if they pose an imminent threat to the environment, impact critical systems, and/or would result in a potential compromise if not addressed. Examples of critical systems may include security systems, public-facing devices and systems, databases, and other systems that store, process, or transmit cardholder data


For remediation timelines, Critical and High are of 2 weeks while Medium may be one month depending on risk appetite, and Low would be longer such as 2 months or more. These are variations and unlikely you have consistent reference to the standards. Best is to advise based on risk appetite, a shoter period of 2 weeks are reasonable for serious finding while longer allowance for less serious one.


This is from a school policy 

  • Critical (CVSS 9-10) Vulnerabilities:
    • Create corrective action plan within two weeks.
    • Remediate vulnerability within one month.
  • High (CVSS 7-8.9) Vulnerabilities:
    • Create corrective action plan within one month.
    • Remediate vulnerability within three months.
  • Other Vulnerabilities:
    • Can be resolved based on availability of staff resources.

Laws, regulations, standards, or contractual agreements may also dictate a higher priority and shorter timeline than the CVSS score alone indicates. For example, to comply with the Payment Card Industry Data Security Standard (PCI DSS), any U-M  PCI environment with a vulnerability that has a CVSS score of 4 or higher must be remediated within 30 days of notification. Vulnerabilities with scores lower than 4 must be remediated within two to three months.


Under NIST   800-171 security requirements, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, (PDF)

3.14.1   Identify, report and correct information and information system flaws in a timely manner.

The organization will perform all security relevant software updates, to include patching, service packs, hot fixes, and anti-virus signature additions in response to identified system flaws and vulnerabilities within the time prescribed by organizational policy (Critical/High: 5 days, Moderate: 30 days, Low: As Available). When available, managers and administrators of the information system will rely on centralized management of the flaw remediation process, to include the use of automated update software, patch management tools, and automated status scanning.


Overall, it is best to run through an exercise to calibrate the frequency and also reference your most recent patching of the vulnerability or PT findings to give that assurance it is a balanced approach and an assured one. 

nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:

CVSS Scores wikipedia: https://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_System

And specification: https://www.first.org/cvss/specification-document#i5


The is NO #of days for remediation..., only if it exists or not. 

If a remediation exists you need to implement it......


Risk scoring is not about when it will be resolved, it is about "Am i going to be bitten" and "How much will it hurt"  "How many can bite me"  vs. How to prevent it from happening now i know the risk exists... (remediation,  mitigation...).


Think about the Citrix meltdown...   Issue found during December, around xmas-newyear an exploit has been found (from the mitigation actions).  Final fix was only end of Januari for most of the citrix versions.   From the earlier exploit other havebeen derived that worked around the mititgation...

The only reasonable cause of action for several veersions of citrix was to pull the sites off-line.... ( High Impact issue, as those tools were used by governments, police, hostpitals, ... and the data to be access was quite valuable).

It might be safe to say that Anyone that had an internet facing Citrix installation on-line between jan 6th and jan 10th, got hacked, (possibly multiple times) using automated tools.

This effectively became a 0-day exploit. 


So what time do you have in mind for remediation...