The problem with a simplistic rating system is that team members usually will not agree on ratings. To help solve this, add new dimensions that help determine what the impact of a security threat really means.The DREAD model is used to help calculate risk. By using the DREAD model, you arrive at the risk rating for a given threat by asking the following questions:
- Damage potential: How great is the damage if the vulnerability is exploited?
- Reproducibility: How easy is it to reproduce the attack?
- Exploitability: How easy is it to launch an attack?
- Affected users: As a rough percentage, how many users are affected?
- Discoverability: How easy is it to find the vulnerability?
You can use above items to rate each threat. You can also extend the above questions to meet your needs. For example, you could add a question about potential reputation damage:
Reputation: How high are the stakes? Is there a risk to reputation, which could lead to the loss of customer trust?
Ratings do not have to use a large scale because this makes it difficult to rate threats consistently alongside one another. You can use a simple scheme such as High (1), Medium (2), and Low (3).
When you clearly define what each value represents for your rating system, it helps avoids confusion. Table 3.6 shows a typical example of a rating table that can be used by team members when prioritizing threats.
Table 1.1 Thread Rating Table
Rating
|
High (3)
|
Medium (2)
|
Low (1)
| |
D
|
Damage potential
|
The attacker can subvert the security system; get full trust authorization; run as administrator; upload content.
|
Leaking sensitive information
|
Leaking trivial information
|
R
|
Reproducibility
|
The attack can be reproduced every time and does not require a timing window.
|
The attack can be reproduced, but only with a timing window and a particular race situation.
|
The attack is very difficult to reproduce, even with knowledge of the security hole.
|
E
|
Exploitability
|
A novice programmer could make the attack in a short time.
|
A skilled programmer could make the attack, then repeat the steps.
|
The attack requires an extremely skilled person and in-depth knowledge every time to exploit.
|
A
|
Affected users
|
All users, default configuration, key customers
|
Some users, non-default configuration
|
Very small percentage of users, obscure feature; affects anonymous users
|
D
|
Discoverability
|
Published information explains the attack. The vulnerability is found in the most commonly used feature and is very noticeable.
|
The vulnerability is in a seldom-used part of the product, and only a few users should come across it. It would take some thinking to see malicious use.
|
The bug is obscure, and it is unlikely that users will work out damage potential.
|
After you ask the above questions, count the values (1–3) for a given threat. The result can fall in the range of 5–15. Then you can treat threats with overall ratings of 12–15 as High risk, 8–11 as Medium risk, and 5–7 as Low risk.
For example, consider the two threats described earlier:
- Attacker obtains authentication credentials by monitoring the network.
- SQL commands injected into application.
Table 1.2 shows an example DREAD rating for both threats:
Table 1.2 DREAD rating
Threat
|
D
|
R
|
E
|
A
|
D
|
Total
|
Rating
|
Attacker obtains authentication credentials by monitoring the network.
|
3
|
3
|
2
|
2
|
2
|
12
|
High
|
SQL commands injected into application.
|
3
|
3
|
3
|
3
|
2
|
14
|
High
|
Once you have obtained the risk rating, you update the documented threats and add the discovered rating level, which is High for both of the above threats. Table 3.8 shows an example.
Table 1.3 Threat 1
Threat Description
|
Attacker obtains authentication credentials by monitoring the network
|
Threat target
|
Web application user authentication process
|
Risk rating
|
High
|
Attack techniques
|
Use of network monitoring software
|
Countermeasures
|
Use SSL to provide encrypted channel
|
Using DREAD can be difficult at first. It may be helpful to think of Damage Potential and Affected Users in terms of Impact, while thinking of Reproducibility, Exploitability, and Discoverability in terms of Probability.