Pitfalls of Vulnerability Rating & A New Approach Called ERRS (ERNW Rapid Rating System)

March 14, 2013 (at 11:30 a.m.) in Defense & Management

Just as most IT operations, security management has to deal with a permanent lack of resources. In order to address this lack and carry out effective security management and operations, the prioritization of tasks is crucial. This also holds true for the handling of data resulting from security assessments and vulnerability management. Even though there are several approaches for the rating of findings and vulnerabilities out in the wild, those hide several pitfalls (such as a lack of support for “chains and composites” or blurry impact perspectives) which will be outlined during this presentation. We will also present a new approach in vulnerability metrics that will allow a rapid rating both for auditors and internal governance departments and allows agile security practitioners to deal with “decision entropy”.

Matthias Luft

Matthias Luft is a security researcher and heads the German security research company ERNW Research. He is interested in a broad range of topics (such as DLP, virtualization, and network security) while keeping up with the daily consulting and assessment work.

Michael Thumann

Michael Thumann is Chief Security Officer and head of the ERNW application security team. He has published security advisories regarding topics like ‘Cracking IKE Preshared Keys’ and Buffer Overflows in Web Servers/VPN Software/VoIP Software. Michael enjoys sharing his self-written security tools (e.g. ‘tomas – a Cisco Password Cracker’, ‘ikeprobe – IKE PSK Vulnerability Scanner’ or ‘dnsdigger – a dns information gathering tool’) and his experience with the community. Besides numerous articles and papers he wrote the first (and only) German Pen-Test Book that has become a recommended reading at german universities.

In addition to his daily pentesting tasks he is a regular conference-speaker (e.g. Blackhat, HITB and RSA Conference) and has also contributed exploit code to the Metasploit Framework. With more than 10 years of experience in computer security Michaels’ main interest is to uncover vulnerabilities and security design flaws from the network to the application level and reverse almost everything to understand the inner working.