| |
Current session uses cyber security experts collective judgments for attackers and system attributes quantification as part of a Risk Analysis Methodology doctoral project in University of Piraeus.
Invited experts are asked to provide rank each attribute grade in 0-100 scale. They are actually asked to provide three rankings:
-A most representative ranking with high certainty (100%).
-A pessimistic and an optimistic ranking with low certainty (~0%). For example Exploitability attribute is qualitatively ranked from VERY LOW to VERY HIGH. VERY HIGH. Quantified rankings of 98, 96 and 100 could be provided as representative, optimistic and pessimistic measures of VERY HIGH qualitative measure of exploitability, with low experts certainty.
Rankings should be provided comparatively for sequential qualitative measures of the same attribute. Rankings overlaps are possible.
If you have any questions you may contact Fragkiskos Korkodeilos by email at [email protected]. Thank you very much for your time and support. Please start with the survey now by clicking on the Continue button below. |
| |
|
|
|
Please comparatively rank in scale 1 to 100 Skills attribute measures VERY LOW to HIGH.
Qualitative number description
VERY LOW |
Attackers of this category are based on their own study and experience and may have attained some low cost specialized course. They use open source tools and open source information. |
LOW |
Attackers of this category are based on their own study and have attained specialized university courses and master courses and other specialized courses. They use open source tools and open source information and are familiar with attack/ penetration testing methodologies. They use open source and low cost commercial tools and attack methodologies efficiently. They can exploit common or known vulnerabilities. |
MODERATE |
Attackers of this category are experienced and skilled. They have undertaken specialized professional training and efficiently use commercial tools, gather information. They can efficiently and quickly exploit known and unknown vulnerabilities and are highly familiar with attack methodologies. |
HIGH |
Attackers of this category are highly experienced, specialized and professionally and extensively trained. They demonstrate sophisticated tactics and rely on extensive reconnaissance and operational planning. They can research and develop exploits for unknown vulnerabilities on specialized systems. |
|
|
|
|
|
|
Please comparatively rank in scale 1 to 100 Target Information attribute measures LOW to EXTREMELY HIGH.
Qualitative number description
LOW |
Attacker has only open source information and information gained by common penetration testing reconnaissance techniques. Attacker may be able to retrieve some information from internet faced interfaces and hosts such as open TCP ports and firewall detection and internet connected systems identification. Social engineering may expose users and employees. |
MODERATE |
Additionally, attacker has access to commercial and illegal information sources and commercial threat intelligence. He can be informed about some hardware and OS types. |
HIGH |
Additionally, attacker has possibility to exploit insiders, commercial threat intelligence and gain illegal information. |
VERH HIGH |
Additionally to previous category, attacker is capable of deep target investigation and investigation by his own means including insiders and specialized malware and cyber intrusion. He is able to produce threat intelligence by his own means. |
EXTREMELY HIGH |
Attacker is additionally capable to conduct cyber espionage operations with advanced penetration techniques, tools, malware, insiders and spies, investigating deep in targets structure. He is able to produce INTELLIGENCE using his own means. There is availability of highly specialized equipment for research. Attacker is capable to execute system internal reconnaissance. He is informed of targets internal architecture, systems, interconnections, functions and vulnerabilities. |
|
|
|
|
|
|
Please comparatively rank in scale 1 to 100 Intensity attribute measures LOW to VERY HIGH.
Qualitative number description
LOW |
Attacker is determined to pursue his goal, but he is not willing to accept negative consequences. Attackers of this category are usually acting opportunistic and motivated by theft, self-satisfaction and exploration. No reputation damage and exposure is accepted. |
MODERATE |
Attacker is moderately determined to pursue his goals and is willing to accept some negative consequences. Acceptable consequences may include light penalties of short time imprisonment, light damages, injuries and losses and financial penalties, but not the death of group members or innocent bystanders. Attackers possess objectives and execute targeted attacks, but their objectives may be detected and removed. No reputation damage and exposure is accepted. |
HIGH |
Attacker is highly determined to pursue his goals and willing to accept any and all consequences. Accepted consequences include even imprisonment for long time imprisonment, heavy injures, damages and losses and death of innocent bystanders. Fanatical and professionals with well-defined objectives and goals, difficult to be detected and removed, belong in this category. They target to specific technology and information for extremely high benefits. Some reputation damage and partial exposure is accepted. |
VERY HIGH |
Attacker is extremely determined to pursue his goals and willing to accept any and all consequences. Accepted consequences include even death of organization members and innocent bystanders. Fanatical and professionals with well-defined objectives and goals, difficult to be detected and removed, belong in this category. They target to specific technology and information for extremely high benefits. Some reputation damage and partial exposure is accepted. |
|
|
|
|
|
|
Please comparatively rank in scale 1 to 100 Countermeasures effectiveness attribute measures LOW to VERY HIGH.
Qualitative number description
LOW |
Applied countermeasures are inefficient to detect and prevent attack efforts and system exploitation. |
MODERATE |
Applied countermeasures fail to detect early attack efforts and some attack payloads my bypass defensive filters. |
HIGH |
Applied countermeasures fail to detect attack efforts, though they can mitigate successful attack effects restricting damage. |
VERY HIGH |
Applied countermeasures efficient detect and prevent or interrupt attack efforts prior system exploitation. |
|
|
|
|
|
|
Please comparatively rank in scale 1 to 100 Vulnerability attribute measures VERY LOW to VERY HIGH.
Qualitative number description
Qualitative values |
Semi quantitative values |
Description |
Very high |
96 – 100 |
A vulnerability whose exploitation could be achieved by unleashed worm which might have propagated without attacker action.
Permits system remote exploitation, unauthorized access and privilege escalation and lateral movement.
Successful exploitation does not normally require any interaction and common exploits exist.
Personnel unaware of cyber threats and there is a lack of strict policy. |
High |
80 – 95 |
A vulnerability whose exploitation could result in compromise of the confidentiality, integrity or availability of some resources
Permits system remote exploitation, unauthorized access and privilege escalation
Successful exploitation does not normally require any interaction and exploits are unknown or uncommon, but can be developed.
There is a security policy but personnel is unaware of cyber threats |
Moderate |
21 – 79 |
Exploitability is mitigated to a significant degree by factors such as default configuration, auditing or difficulty of exploitation
Typically used for remotely exploitable vulnerabilities leading to system compromise.
To exploit system requires user interaction
Personnel is aware of cyber threats but there is not effective security policy |
Low |
5 – 20 |
A vulnerability whose exploitation is extremely difficult or whose impact is minimal
Exploitability is mitigated to a significant degree by factors such as default configuration, auditing or difficulty of exploitation
Typically used for remotely exploitable vulnerabilities, leading to system compromise.
Local privilege escalation, sensitive data exposure
Personnel is aware of cyber threats and there is a strict security policy |
Very low |
0 – 4 |
Very limited privilege escalation, locally exploitable, non-sensitive data exposure
Personnel is aware and trained to detect and encounter cyber threats and there is a strict security policy |
|
|
|
|
|
|
Please comparatively rank in scale 1 to 100 Pay-off attribute measures VERY LOW to EXTREMELY HIGH.
Qualitative number description
VERY LOW |
Unsuccessful attack does not return expected gains and does not cover attack expenses of specific attacker. |
LOW |
Minimal pay-off. Attack does not return expected gains, but covers attack expenses of specific attacker. |
MODERATE |
Attack does not return expected gains and goals are not satisfied for specific attacker. Though, pay-off compensates attack expenses and returns some benefits to him. |
HIGH |
Attack goals and expected gains of specific attacker are achieved, satisfyingly compensates attack expenses. |
VERY HIGH |
Return of attack overcomes expected gains and attacker’s goals for expected attacker and highly compensates attack expenses. |
EXTREMELY HIGH |
Return of attack greatly overcome expected gains and attacker’s goals for specific attacker and are greatly compensative for attack expenses. |
|
|
|
|
|
|
Please comparatively rank in scale 1 to 100 Attack Cost attribute measures VERY LOW to VERY HIGH.
Qualitative number description
VERY LOW |
There is no cost for preparing and executing the attack. |
LOW |
There is minimal attack cost relevant available funding. |
MODERATE |
Significant funds and resources are consumed for attack preparation, execution. |
HIGH |
Very significant amount of funds and resources is consumed relative to available funds and resources to stand in case of attack failure. |
VERY HIGH |
Most of the available funding and resources are consumed for attack preparation and execution. |
|
|
|
|
|
|
|
Loading...
