cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Contributor I

Prioritizing "increased risk / low likelihood" vulnerabilities

I'm reading the latest Security Bulletin from HP, which describes a cross-site scripting (XSS) risk from unpatched printers. Even though a CVE has been assigned to this vulnerability, only HP's website describes the risk -- and neither site provides much detail.

 

Because of this, I am more inclined to infer this as "an elevated risk with a fairly low likelihood of occurrence". It's not difficult to download and remotely install the firmware patch, but it's still a time-consuming process, and having lots of printers doesn't help.

 

I'm interested to hear how you prioritize such events, or how much credence you attribute to such claims when there's not a lot of information available to digest. I know what XSS is, but I'm having a hard time visualizing an exposure.

 

Thanks!

---
Eric Geater, CISSP
I've always said, "There's nothing an agnostic can't do if he really doesn't know whether he believes in anything or not."
3 Replies
Community Champion

Re: Prioritizing "increased risk / low likelihood" vulnerabilities


@ericgeater wrote:

...

Because of this, I am more inclined to infer this as "an elevated risk with a fairly low likelihood of occurrence". ...


 

Eric,

This is a comment on the terminology you use, not your logic. I think you can pursue your logic, but recommend a modification of the terms you  use.

 

If you study risk management literature, you will see that your inferred interpretation is not possible in the way risk is addressed and calculated in business. Risk is defined as the level of impact times the likelihood of occurrence (probability). Therefore, an event with a projected cost of $1000 but a probability of occurrence of 5% is said to have a risk of $50. Likewise, an event with a projected cost of $100 and a 50% probability of occurrence also has a risk of $50.  This is the sort of calculation that major enterprises use to decide whether to mitigate, self-insure, buy commercial insurance, or ignore any given potential harmful event.

 

Craig

 

Dr. D. Cragin Shelton, CISSP
Dr.Cragin@iCloud.com
https://CraginS.blogspot.com/
My Community Profile
My LinkedIn Profile
href="Not Passing a Cert Exam is Not the Same as Failing" target="new";;https://cragins.blogspot.com/2018/08/pass-rates-for-professional-exams.html
Highlighted
Community Champion

Re: Prioritizing "increased risk / low likelihood" vulnerabilities


@ericgeater wrote:

I'm reading the latest Security Bulletin from HP, which describes a cross-site scripting (XSS) risk from unpatched printers.

 

I know what XSS is, but I'm having a hard time visualizing an exposure.

 


You asked the right question! Help me "visualize the exposure". You need a Threat Model! Start with visualizing your enterprise LAN/WAN that the printers are connected too. Think about users accessing printers on that network and all of the other compute resources on that same network. What could go wrong? Dig deep into applying the scoring vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

 

What you know is that the Attack Complexity (AC) is low, attacks will come in through a malicious link past through a users browser and without any Privileges (PR) attempt to redirect possibly sensitive information. That's the idea. What usually seals the deal for IT is showing them XSS in action. That will open their eyes wide enough to either accept the risk or put in a compensating control until there is a patch.

 

 

Community Champion

Re: Prioritizing "increased risk / low likelihood" vulnerabilities

@ericgeater 

 

I agree with @CraginS here, a good Risk Assessment goes a long way, but would add that you must always account for the unknown.

 

As an example, I once worked somewhere that had a print server which had software that could only be installed/maintained by the vendor............so we put the machine under a Patch Management process (patches were to be scheduled, patches could only be applied after the media was scanned, patches could only be applied with an IT person in attendance, educate the department on the process and got agreement in writing from the vendor)....Sounds good...........until one day, a new tech came in and the folks from the department were in a meeting.....the perfect storm.

 

The tech proceeded to use their installation kit (which had a virus on it) and installed the new OS.

 

Within minutes of the reboot, the Help Desk began getting calls that M$ machines were experiencing the Blue Screen (of Death). The virus was actually a worm and was trying to work through the network to find machines that were not patched and eventually found some.......

 

So even though we thought the threat had been mitigated, it turned out not to be, therefore educating management that Risk Assessment is not an exact science is a good thing.....Ensure that they accept the risk ratings that you come up with.

 

my nickel

 

d