From e2d0f0a586a9c8bc9d06a1079cfcd937a52a5dce Mon Sep 17 00:00:00 2001 From: Brian Adeloye <38542881+brianadeloye@users.noreply.github.com> Date: Tue, 31 Aug 2021 09:37:44 -0400 Subject: [PATCH] fixed typos (#146) --- doc/md_src_files/040_stakeholders-scope.md | 2 +- doc/md_src_files/050_decision-points_1.md | 2 +- doc/ssvc_v2-0.html | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/md_src_files/040_stakeholders-scope.md b/doc/md_src_files/040_stakeholders-scope.md index 8a1a0a18..ba3f2615 100644 --- a/doc/md_src_files/040_stakeholders-scope.md +++ b/doc/md_src_files/040_stakeholders-scope.md @@ -141,7 +141,7 @@ Table: Proposed Meaning for Supplier Prio A mitigation that successfully changes the value of a decision point may shift the priority of further action to a reduced state. An effective firewall or IDS rule coupled with an adequate change control process for rules may be enough to reduce the priority where no further action is necessary. In the area of Financial impacts, a better insurance policy may be purchased, providing necessary fraud insurance. Physicial well-being impact may be reduced by testing the physicial barriers designed to restrict a robot's ability to interact with humans. Mission impact could be reduced by correcting the problems identified in a disaster recover test-run of the alternate business flow. If applying a mitigation reduces the priority to *defer*, the deployer may not need to apply a remediation if it later becomes available. [Table 3](#table-deployer-outcomes) displays the action priorities for the deployer, which are similar to the supplier case. -When remediation is available, usually the action is to apply it. When remediation is not yet available, the action space is more diverse, but it should involve mitigating the vulnerability (e.g., shutting down services or applying additional security controls) or accepting the risk of not mitigating the vulnerability. Applying mitigations may change the value of decision points. For example, effective firewall and IDS rules may change [*System Exposure*](#system-exposure) from open to controlled. Financial well-being, a [*Saftey Impact*](#safety-impact) category, might be reduced with adequate fraud detection and insurance. Physical well-being, also a [*Saftey Impact*](#safety-impact) category, might be reduced by physical barriers that restrict a robot's ability to interact with humans. [*Mission Impact*](#mission-impact) might be reduced by introducing back-up business flows that do not use the vulnerable component. In a later section we combine [Mission and Situated Safety Impact](#table-mission-safety-combined) to reduce the complexity of the tree. +When remediation is available, usually the action is to apply it. When remediation is not yet available, the action space is more diverse, but it should involve mitigating the vulnerability (e.g., shutting down services or applying additional security controls) or accepting the risk of not mitigating the vulnerability. Applying mitigations may change the value of decision points. For example, effective firewall and IDS rules may change [*System Exposure*](#system-exposure) from open to controlled. Financial well-being, a [*Safety Impact*](#safety-impact) category, might be reduced with adequate fraud detection and insurance. Physical well-being, also a [*Safety Impact*](#safety-impact) category, might be reduced by physical barriers that restrict a robot's ability to interact with humans. [*Mission Impact*](#mission-impact) might be reduced by introducing back-up business flows that do not use the vulnerable component. In a later section we combine [Mission and Situated Safety Impact](#table-mission-safety-combined) to reduce the complexity of the tree. However, these mitigation techniques will not always work. For example, the implementation of a firewall or IDS rule to mitigate [*System Exposure*](#system-exposure) from open to controlled is only valid until someone changes the rule. In the area of Financial impacts, the caps on the insurance may be too low to act as a mitigation. The Physical impact may be increased by incorrect installation of the physical barriers designed to restrict a robot’s ability to interact with humans. diff --git a/doc/md_src_files/050_decision-points_1.md b/doc/md_src_files/050_decision-points_1.md index 186c8922..b0587530 100644 --- a/doc/md_src_files/050_decision-points_1.md +++ b/doc/md_src_files/050_decision-points_1.md @@ -69,7 +69,7 @@ Table: Technical Impact Decision Values ### Gathering Information About Technical Impact Assessing [*Technical Impact*](#technical-impact) amounts to assessing the degree of control over the vulnerable component the attacker stands to gain by exploiting the vulnerability. -One way to approach this analyiss is to ask whether the control gained is *total* or not. +One way to approach this analysis is to ask whether the control gained is *total* or not. If it is not total, it is *partial*. If an answer to one of the following questions is _yes_, then control is *total*. After exploiting the vulnerablily, diff --git a/doc/ssvc_v2-0.html b/doc/ssvc_v2-0.html index 407e6a04..05498059 100644 --- a/doc/ssvc_v2-0.html +++ b/doc/ssvc_v2-0.html @@ -541,7 +541,7 @@

Technical Impact

Gathering Information About Technical Impact

-

Assessing Technical Impact amounts to assessing the degree of control over the vulnerable component the attacker stands to gain by exploiting the vulnerability. One way to approach this analyiss is to ask whether the control gained is total or not. If it is not total, it is partial. If an answer to one of the following questions is yes, then control is total. After exploiting the vulnerablily,

+

Assessing Technical Impact amounts to assessing the degree of control over the vulnerable component the attacker stands to gain by exploiting the vulnerability. One way to approach this analysis is to ask whether the control gained is total or not. If it is not total, it is partial. If an answer to one of the following questions is yes, then control is total. After exploiting the vulnerablily,