[This was originally published on the OSVDB blog.]
While chatting with a journalist about risks and ratings. I think the conversation started with a discussion on CVSS, but moved on to more general risk ratings. This lead me to wonder about the usefulness of Internet risk/threat ratings that some security companies maintain. Does anyone use them? Do they help anyone other than journalists who tend to reference them as if it gives us a meaning or measure of the current risk?
Such ratings suffer from the same problem any other vulnerability/risk scoring system does. They tend to be overly complex, too subjective, or too simple. When I took notes to remind myself to blog about this, I noted the ratings of a few security outfits:
Symantec Threatcon is Level 3: High (currently at 1, max 4)
ISS Alertcon is Level 2 and says we will be at this level until Jan 6 (currently at 1, anticipated through Feb 2, max 4)
SANS is at Yellow (currently at Green, 1 of 4)
Does any of that really help you?
The initial ratings were taken in the midst of the WMF massacre, in which thousands of sites hosted hostile code that could compromise a system just by browsing a web page. Attack vectors quickly spread to spam/email and IM networks. According to SANS, “It is extremely hard to protect against this vulnerability“. Secunia and Symantec flagged the vulnerability “Extremely critical,” and rated it 9.4 on its 10-point scale respectively. Within hours, computer virus and spyware authors were using the flaw to distribute malicious programs that could allow them to take over and remotely control afflicted computers. This vulnerability affects all flavors of Windows which runs on an estimated 90% of personal computers. Some reports indicate 10% of computers had fallen victim to this exploit.
Now, we’re in the middle of the CME-24/Blackworm/Nyxem/Blackmal/Mywife outbreak, and all three are at level 1. Does this rating system help you?