search

usnistgov / mobile-threat-catalogue

NIST/NCCoE Mobile Threat Catalogue
https://pages.nist.gov/mobile-threat-catalogue
Other
141 stars 40 forks source link

Expand definition of threats using CVSS specification #120

Open boos opened 7 years ago

boos commented 7 years ago

I think it would be very useful to expand the definition of threats using CVSS specification in addition to current categorization.

Threat ID:

Type of Comment: G

Proposed Change: For each threat in the excel version of the catalog add columns defining: attack vector, attack complexity, privileges required, user interaction, scope, confidentiality/integrity/availability impact and CVSS value using CVSS specification (https://www.first.org/cvss/cvss-v30-specification-v1.7.pdf)

Justification: Defining threats using also the CVSS specification will substantially facilitate the usage of mobile threat catalog and it will help to rank and prioritize the threats. I do understand that CVSS is to categorize vulnerabilities but I believe it can easily used also to try to define the shape of threats.

sdog-nist commented 7 years ago

@boos

We have received multiple comments asking for MTC enhancements of a similar nature - some method of scoring threats based on their overall severity, which is still under evaluation. Reference the use of CVSS, while we do see limited applicability to the MTC. However, we understand the purpose of CVSS is to describe specific software vulnerabilities, yet the MTC refers to threats that may not involve any software vulnerabilities (e.g., system misconfiguration, social engineering), and therefore appear to be inconsistent with the guidelines established by FIRST in the use of CVSS.

We invite further suggestions as to how we can leverage CVSS or other standards-based scoring methodologies to enhance the utility of the threat data provided in the MTC.

cjb9 commented 7 years ago

@boos

BTW, we're having a community of interest call Dec. 9th. Feel free to join us: https://nccoe.nist.gov/events/mobile-security-community-interest-teleconference

boos commented 7 years ago

I will follow up with more examples but the point is that a vulnerability is substantially an 'instance' of a threat. If a vulnerability can be scored with CVSS also a threat can be (with few generalization and assumption).

I do understand that is not perfect and out of scope in regards to CVSS but it might be a path that IMHO worth the value to explore. AFAIK does not exist anything that help classify threats and CVSS is the closest specification.

A necessary assumption here is that in most of the case we would have iOS, Android OSs and their security architecture is quite similar so we can somehow generalize what would be the maximum impact of an instance of a threat.

When a threat could potentially manifest itself with multiple vulnerabilities with different characteristics the score would reflect the worst case scenario in term of impact and the easiest attack scenario in term of easiness to succeed in the attack. i.e. max possible impact, easiest possible attack scenario condition.

One example: AUT-3 - Computer vision attacks inferring the PIN/password from video recordings It's Vector String would be: CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/MC:N

I do know that I'm pushing and bending purposes and generalizing a lot but as wrote I don't know any specification which purpose is to classify threat even tough I must admit that is a while since I looked at the latest MITRE languages.

I'll join the call of interest this Friday.