|
|
BugTraq
Re: On classifying attacks Jul 28 2005 07:26PM Daniel Weber (djweber alum mit edu) (3 replies) Re: On classifying attacks Mar 26 2006 02:09AM Gadi Evron (ge linuxbox org) (1 replies) Re: On classifying attacks Mar 29 2006 01:19PM David M Chess (chess us ibm com) (1 replies) |
|
Privacy Statement |
> I've seen a lot of classification schemes proposed on Bugtraq in the
> intervening years, some of them quite good. (Search the archives for
> "taxonomy" or "classification".) But unless they are -very- simple to
> use, they won't be taken up by the community. If you can come up with
> a single word that imputes the concept of "malicious data that I can
> easily get onto the victim's machine and in front of the victim's
> eyes but requires him to run it," that would be a great step forward.
>
> Simplicity is key. (Unlike this posting, which I did not have time
> to make shorter and simpler.)
>
(Apologies for the late reply, I've only just caught up on this thread)
Would that it were that simple. Then there would not be debates. You've
somewhat captured the intuitive idea with your long phrase, that being
that these exploits require user intervention of some fashion to succeed.
Were I to take a real world phrase and apply it to the cyber realm, the
closest that comes to mind is "booby trap", but this does not lend itself
well to conveying the consequences of triggering a trap. Nor do I like
applying classifications such as "remote to user" to exploits involving
user interaction, as this phrase does not distinguish between automated
attacks and those requiring user intervention, even though it does convey
some of the requirements and consequences of the attack.
Realistically, these types of attacks encompass multiple components such
as the delivery vector (e.g. webpage, email), level of user interaction
(e.g. regular use of program, clicking attachment) and consequences (e.g.
privileges obtained). A simple classification scheme along the lines of
"remote to root" is not well suited to conveying all these details. From a
modeling standpoint, breaking the attacks down into its components makes
sense, but that is not always as useful from a user standpoint. The user
might be more concerned about distinguishing exploits that can occur
during normal use from those which require more social engineering as the
former implies little to no user control over the risks (other than
patching when a patch is available of course). Academically however, these
might just be two branches rather far down on a taxonomy tree. So, I
suppose it has to be asked if we just want catchy phrases to impress upon
the user the severity of an issue so they patch or if we want an academic
classification scheme. The two aims do not always align.
Melissa
[ reply ]