Re: Prioritizing "increased risk / low likelihood"...

ericgeater · ‎02-06-2020

I'm reading the latest Security Bulletin from HP, which describes a cross-site scripting (XSS) risk from unpatched printers. Even though a CVE has been assigned to this vulnerability, only HP's website describes the risk -- and neither site provides much detail.

Because of this, I am more inclined to infer this as "an elevated risk with a fairly low likelihood of occurrence". It's not difficult to download and remotely install the firmware patch, but it's still a time-consuming process, and having lots of printers doesn't help.

I'm interested to hear how you prioritize such events, or how much credence you attribute to such claims when there's not a lot of information available to digest. I know what XSS is, but I'm having a hard time visualizing an exposure.

Thanks!

-----------
A claim is as good as its veracity.

CraginS · ‎02-06-2020

@ericgeater wrote:
...
Because of this, I am more inclined to infer this as "an elevated risk with a fairly low likelihood of occurrence". ...

Eric,

This is a comment on the terminology you use, not your logic. I think you can pursue your logic, but recommend a modification of the terms you use.

If you study risk management literature, you will see that your inferred interpretation is not possible in the way risk is addressed and calculated in business. Risk is defined as the level of impact times the likelihood of occurrence (probability). Therefore, an event with a projected cost of $1000 but a probability of occurrence of 5% is said to have a risk of $50. Likewise, an event with a projected cost of $100 and a 50% probability of occurrence also has a risk of $50. This is the sort of calculation that major enterprises use to decide whether to mitigate, self-insure, buy commercial insurance, or ignore any given potential harmful event.

Craig

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts

AppDefects · ‎02-06-2020

@ericgeater wrote:
I'm reading the latest Security Bulletin from HP, which describes a cross-site scripting (XSS) risk from unpatched printers.

I know what XSS is, but I'm having a hard time visualizing an exposure.

You asked the right question! Help me "visualize the exposure". You need a Threat Model! Start with visualizing your enterprise LAN/WAN that the printers are connected too. Think about users accessing printers on that network and all of the other compute resources on that same network. What could go wrong? Dig deep into applying the scoring vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

What you know is that the Attack Complexity (AC) is low, attacks will come in through a malicious link past through a users browser and without any Privileges (PR) attempt to redirect possibly sensitive information. That's the idea. What usually seals the deal for IT is showing them XSS in action. That will open their eyes wide enough to either accept the risk or put in a compensating control until there is a patch.

dcontesti · ‎02-07-2020

@ericgeater

I agree with @CraginS here, a good Risk Assessment goes a long way, but would add that you must always account for the unknown.

As an example, I once worked somewhere that had a print server which had software that could only be installed/maintained by the vendor............so we put the machine under a Patch Management process (patches were to be scheduled, patches could only be applied after the media was scanned, patches could only be applied with an IT person in attendance, educate the department on the process and got agreement in writing from the vendor)....Sounds good...........until one day, a new tech came in and the folks from the department were in a meeting.....the perfect storm.

The tech proceeded to use their installation kit (which had a virus on it) and installed the new OS.

Within minutes of the reboot, the Help Desk began getting calls that M$ machines were experiencing the Blue Screen (of Death). The virus was actually a worm and was trying to work through the network to find machines that were not patched and eventually found some.......

So even though we thought the threat had been mitigated, it turned out not to be, therefore educating management that Risk Assessment is not an exact science is a good thing.....Ensure that they accept the risk ratings that you come up with.

my nickel

d

ericgeater · ‎01-03-2023

I was cleaning out old drafts and found this thread. While wondering how I dared to neglect all of these wonderful replies, I looked at the date and remembered, "Oh, yeah! That's when our 70047c83e6cfab6f85cf9fdf0cb4fdff attack happened. No wonder I never responded!" Plus, COVID lockdown was soon to follow.

So, yeah, thanks to everyone for your responses -- three years later!

-----------
A claim is as good as its veracity.

Beads · ‎01-04-2023

This maybe an old thread but HP patched this minor vulnerability in June of 2020. Mitigation would have been to create a custom filter for any of the affected machines and block any such attempts from both the client and/or the printer themselves.

As for the risk? Minimal. This could have been block through directory services, filtering and user education with minimal effort to include risk analysis. Furthermore after looking into this minor threat I see no determined use or exploit being used. Annoying at best. A real threat? More like clutching pearls and hand wringing.

- B/Eads

ericgeater · ‎01-04-2023

At the time, a feral IT child (such as myself) didn't understand best practices for gaging "high / low probability" with "high / low impact", and was trying to assuage the rampant paranoia associated with feeling like "OMG WE HAVE TO FIX EVERY SECURITY CONCERN RIGHT NOW".

I'm still a feral child, by the way. Just grayer.

-----------
A claim is as good as its veracity.

Prioritizing "increased risk / low likelihood" vulnerabilities