diff --git a/data/schema/SSVC_Computed_v2.02.schema.json b/data/schema/SSVC_Computed_v2.03.schema.json similarity index 95% rename from data/schema/SSVC_Computed_v2.02.schema.json rename to data/schema/SSVC_Computed_v2.03.schema.json index 87329162..26205c6d 100644 --- a/data/schema/SSVC_Computed_v2.02.schema.json +++ b/data/schema/SSVC_Computed_v2.03.schema.json @@ -1,6 +1,6 @@ { - "$schema": "http://json-schema.org/draft-04/schema#", - "$id": "https://democert.org/ssvc/SVC_Computed_v2.02.schema.json", + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://democert.org/ssvc/SVC_Computed_v2.03.schema.json", "title": "Computed SSVC score representing the path in the decision tree", "description": "This schema represents the full path in the decision tree taken by an analyst with a specific role. The representation of the full decision tree is optional", "type": "object", diff --git a/data/schema/SSVC_Provision_v2.02.schema.json b/data/schema/SSVC_Provision_v2.03.schema.json similarity index 98% rename from data/schema/SSVC_Provision_v2.02.schema.json rename to data/schema/SSVC_Provision_v2.03.schema.json index a8d13afc..e3d2e475 100644 --- a/data/schema/SSVC_Provision_v2.02.schema.json +++ b/data/schema/SSVC_Provision_v2.03.schema.json @@ -1,5 +1,5 @@ { - "$schema": "http://json-schema.org/draft-04/schema#", + "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://democert.org/ssvc/SSVC_Provision_v2.02.schema.json", "title": "Decision tree schema definition for SSVC", "description": "This provides a schema for a decision tree used to compute SSVC score for a vulnerability", diff --git a/index.html b/index.html new file mode 100644 index 00000000..3087d9c4 --- /dev/null +++ b/index.html @@ -0,0 +1,469 @@ + + + + + + CERT/CC Demo Server - Dryad SSVC Calc App + + + + + + + + + + + + + + CERT Logo +
+ + + + i + + + + + + +
+
+ + +
+

+ Dryad - SSVC Calc App +
+ (CISA Coordinator v2) +
+

+ +

+ + + + + + + + +
+

+
+
+
+ + +
+ +
+
+
+
Exploitation choices
+ None:   There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability. +
+ PoC:   + (Proof of Concept)One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit or ExploitDB; or (4) the vulnerability has a well-known method of exploitation. Some examples of condition (4) are open-source web proxies serve as the PoC code for how to exploit any vulnerability in the vein of improper validation of TLS certificates. As another example, Wireshark serves as a PoC for packet replay attacks on ethernet or WiFi networks. +
+ Active:   Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting. +
+
+
Virulence choices
+ Slow:   Steps 1-4 of the kill chain cannot be reliably automated for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation. Example reasons for why a step may not be reliably automatable include (1) the vulnerable component is not searchable or enumerable on the network, (2) weaponization may require human direction for each target, (3) delivery may require channels that widely deployed network security configurations block, and (4) exploitation may be frustrated by adequate exploit-prevention techniques enabled by default; ASLR is an example of an exploit-prevention tool. +
+ Rapid:   Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows unauthenticated remote code execution (RCE) or command injection, the response is likely rapid. +
+
+
Technical Impact
+ Partial:   The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control. In this context, “low” means that the attacker cannot reasonably make enough attempts to overcome the low chance of each attempt not working. Denial of service is a form of limited control over the behavior of the vulnerable component. +
+ Total:   The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability. +
+
+ +
Mission Prevelance choices
+ Minimal:   Neither support nor essential apply. The vulnerable component may be used within the entities, but it is not used as a mission-essential component nor does it support (enough) mission essential functions. +
+ Support:   The operation of the vulnerable component merely supports mission essential functions for two or more entities. + EssentialThe vulnerable component directly provides capabilities that constitute at least one MEF for at least one entity, and failure may (but need not) lead to overall mission failure. +
+
+
Vulnerability Scoring Decisions
+ Track   The vulnerability does not require attention outside of Vulnerability Management (VM) at this time. Continue to track the situation and reassess the severity of vulnerability if necessary. +
+ Track *   Track these closely, especially if mitigation is unavailable or difficult. Recommended that analyst discuss with other ana-lysts and get a second opinion. +
+ Attend   The vulnerability requires to be attended to by stakeholders outside VM. The action is a request to others for assistance / information / details, as well as a potential publication about the issue. +
+ Act   The vulnerability requires immediate action by the relevant leadership. The action is a high-priority meeting among the relevant supervisors to decide how to respond. +
+ +
+ + + + + + + + +
+ Determining Mission & Well-being impact value +

 

Public Well-Being Impact


Minimal

Material

Irreversible

Mission Prevalence

Minimal

Low

Medium

High

Support

Medium

Medium

High

Essential

High

High

High

+
+ + + +
+ +
Public Well-being Impact Decision Values
+ + +
+

Impact

Type of Harm

Description

Minimal

All

The effect is below the threshold for all aspects described in material.

Material
(Any one or more of these conditions hold.)

Physical harm

Physical distress and injuries for users (not operators) of the system.

Operator
resiliency

If the operator is expected to be able to keep the cyber-physical system safely operating (that is, prevents one of the other types of harm), then select this option if one of these three apply: system operator must react to exploitation of the vulnerability to maintain safe system state but operator actions would be within their capabilities; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.

System
resiliency

Cyber-physical system’s safety margin effectively eliminated but no actual harm; OR failure of cyber-physical system functional capabilities that support safe operation.

Environment

Major externalities (property damage, environmental damage, etc.) imposed on other parties.

Financial

Financial losses that likely lead to bankruptcy of multiple persons.

Psychological

Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people.

Irreversible (Any one or more of these conditions hold.)

Physical harm

Multiple fatalities likely.

Operator
resiliency

Operator is incapacitated, where operator usually maintains safe cyber-physical system operations, and so other harms at this level are likely.

System
resiliency

Total loss of whole cyber-physical system of which the software is a part.

Environment

Extreme or serious externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.

Financial

Social systems (elections, financial grid, etc.) supported by the software are destabilized and potentially collapse.

Psychological

N/A

+
+
+ +
+ Stakeholder-Specific Vulnerability Categorization (SSVC) +
+ version 2 (October 2020) +
+
+

Introduction:

+

+ Our proposed SSVC approach for vulnerability prioritization takes the form of decision trees. This decision tree can be adapted for different vulnerability management stakeholders such as patch developers and patch appliers. In this instance of Drayd - SSVC calculator app, SSVC is being prototyped for CISA in their unique role as advisors to be able to provide decision support to various stakeholders and influence their prioritization of vulnerabilities. +

+
+
+

Decision Tree Usage:

+

+ Click on the button to see + the complete decision tree at a glance. Each circle + + + + + + + represents a decision point or + stage/fork in the decision tree. You can move your mouse over each circle + to get a glimpse at the definition of the choices you can make after that stage/fork. + The path (branch) leading to the next stage fork is labeled + + + + + partial + + + also as it leads you to the next stage/fork represented by a circle. +

+
+

+ When using for a new SSVC calculation with + +
+ You can move your mouse over circle + + + + + + + or on the text + + Exploitation + that represents a stage/fork in the decision tree + to get information + on choices you can make for + your next stage/fork of the tree. + You will see each branch will also be be labeled + + + + + partial + + + that leads you to the next stage/fork. + You can make the appropriate choice by clicking on the text "partial" or on the + circle where your chosen path ends or terminates. Follow these steps on the decision tree. + When prompted for more complex decision making like + + Mission & Well-Being Impact, you will be presented with more choices, + you can click on + ? to get more help in + understanding and making the right choices. +

+

+ Mission & Well-being + is a + cumulative decision that is comprised of + + Mission Prevelance and + + Public Well-Being Impact + . +

+
+
+
+
+
+
+
+ + + + + + + + + + + + +
+ +
+ +
+
+ + + + + + + + +
+ + +
+ + + + Include decision tree in export + +
+ Contact: + +
+
+
+ +
+ JSON + PDF + +
+
+
+
+
+
+ + + + + diff --git a/ssvc-calc/CISA-Coordinator-v2.0.3.json b/ssvc-calc/CISA-Coordinator-v2.0.3.json new file mode 100644 index 00000000..9b7683f8 --- /dev/null +++ b/ssvc-calc/CISA-Coordinator-v2.0.3.json @@ -0,0 +1,489 @@ +{ + "decision_points": [ + { + "label": "Exploitation", + "decision_type": "simple", + "key": "E", + "options": [ + { + "label": "none", + "key": "N", + "description": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability." + }, + { + "label": "poc", + "key": "P", + "description": "One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit or ExploitDB; or (4) the vulnerability has a well-known method of exploitation. Some examples of condition (4) are open-source web proxies serve as the PoC code for how to exploit any vulnerability in the vein of improper validation of TLS certificates. As another example, Wireshark serves as a PoC for packet replay attacks on ethernet or WiFi networks." + }, + { + "label": "active", + "key": "A", + "description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting." + } + ] + }, + { + "label": "Automatable", + "key": "A", + "decision_type": "simple", + "options": [ + { + "label": "no", + "key": "N", + "description": "Steps 1-4 of the kill chain cannot be reliably automated for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation. Example reasons for why a step may not be reliably automatable include (1) the vulnerable component is not searchable or enumerable on the network, (2) weaponization may require human direction for each target, (3) delivery may require channels that widely deployed network security configurations block, and (4) exploitation may be frustrated by adequate exploit-prevention techniques enabled by default; ASLR is an example of an exploit-prevention tool." + }, + { + "label": "yes", + "key": "Y", + "description": "Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows unauthenticated remote code execution (RCE) or command injection, the response is likely yes." + } + ] + }, + { + "label": "Technical Impact", + "key": "T", + "decision_type": "simple", + "options": [ + { + "label": "partial", + "key": "P", + "description": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control. In this context, \"low\" means that the attacker cannot reasona-bly make enough attempts to overcome the low chance of each attempt not working. Denial of service is a form of limited control over the behavior of the vulnerable component." + }, + { + "label": "total", + "key": "T", + "description": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability." + } + ] + }, + { + "label": "Public Well-being Impact", + "key": "B", + "decision_type": "simple", + "options":[ + { + "label": "Minimal", + "key": "M", + "description": "Type of harm is \"All\" (Physical, Environmental,Financial,Psychological). The effect is below the threshold for all aspects described in material." + }, + { + "label": "Material", + "key": "A", + "description": "Any one or more of the conditions (Physical, Environmental,Financial,Psychological) hold. \"Physical harm\" means \"Physical distress or injuries for users of the system OR introduces occupational safety hazards OR reduction and/or failure of cyber-physical system’s safety margins.\" \"Environment\" means \"Major externalities (property damage, environmental damage, etc.) imposed on other parties.\" \"Financial\" means \"Financial losses that likely lead to bankruptcy of multiple persons.\" \"Psychological\" means \"Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people.\"" + }, + { + "label": "Irreversible", + "key": "I", + "description": "Any one or more of the following conditions hold. \"Physical harm\" means \"Multiple fatalities likely OR loss or destruction of cyber-physical system of which the vulnerable component is a part.\" \"Environment\" means \"Extreme or serious externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.\" \"Financial\" means \"Social systems (elections, financial grid, etc.) supported by the software are destabilized and potentially collapse.\"" + } + ] + }, + { + "label": "Mission Prevalence", + "key": "P", + "decision_type": "simple", + "options":[ + { + "label": "Minimal", + "key": "M", + "description": "Neither support nor essential apply. The vulnerable component may be used within the entities, but it is not used as a mission-essential component nor does it support (enough) mission essential functions." }, + { + "label": "Support", + "key": "S", + "description": "The operation of the vulnerable component merely supports mission essential functions for two or more entities." + }, + { + "label": "Essential", + "key": "E", + "description": "The vulnerable component directly provides capabilities that constitute at least one MEF for at least one entity, and failure may (but need not) lead to overall mission failure." + } + ] + }, + { + "label": "Mission & Well-being", + "key": "M", + "decision_type": "complex", + "children": [ + { + "label": "Mission Prevalence" + }, + { + "label": "Public Well-being Impact" + } + ], + "options": [ + { + "label": "low", + "key": "L", + "description": "Mission Prevalence is Low and Public well-being impact is Minimal", + "child_combinations": [ + [ + { + "child_label":"Mission Prevalence", + "child_key": "M", + "child_option_labels": ["Minimal"], + "child_option_keys": ["M"] + }, + { + "child_label": "Public Well-being Impact", + "child_option_labels": ["Minimal"] + } + ] + ] + }, + { + "label": "medium", + "key": "M", + "description": "Mission Prevalence is Medium and Public well-being impact is in Material", + "child_combinations":[ + [ + { + "child_label":"Mission Prevalence", + "child_key": "M", + "child_option_labels": ["Support"], + "child_option_keys": ["S"] + }, + { + "child_label": "Public Well-being Impact", + "child_option_labels": ["Minimal","Material"] + } + ], + [ + { + "child_label":"Mission Prevalence", + "child_key": "M", + "child_option_labels": ["Minimal"], + "child_option_keys": ["M"] + }, + { + "child_label": "Public Well-being Impact", + "child_option_labels": ["Material"] + } + ] + ] + + }, + { + "label": "high", + "key": "H", + "description": "Mission Prevalence is Essential and Public well-being impact is Irreversible", + "child_combinations":[ + [ + { + "child_label":"Mission Prevalence", + "child_key": "M", + "child_option_labels": ["Essential"], + "child_option_keys": ["E"] + }, + { + "child_label": "Public Well-being Impact", + "child_option_labels": ["Minimal","Material","Irreversible"] + } + ], + [ + { + "child_label":"Mission Prevalence", + "child_key": "M", + "child_option_labels": ["Minimal","Support"], + "child_option_keys": ["M","S"] + }, + { + "child_label": "Public Well-being Impact", + "child_option_labels": ["Irreversible"] + } + ] + ] + + } + ] + }, + { + "label": "Decision", + "key": "D", + "decision_type": "simple", + "options": [ + { + "label": "Track", + "key": "T", + "description": "The vulnerability does not require attention outside of Vulnerability Management (VM) at this time. Continue to track the situation and reassess the severity of vulnerability if necessary.", + "color": "#28a745" + }, + { + "label": "Track*", + "key": "R", + "description": "Track these closely, especially if mitigation is unavailable or difficult. Recommended that analyst discuss with other ana-lysts and get a second opinion.", + "color": "#ffc107" + }, + { + "label": "Attend", + "key": "A", + "description": "The vulnerability requires to be attended to by stakeholders outside VM. The action is a request to others for assistance / information / details, as well as a potential publication about the issue.", + "color": "#EE8733" + }, + { + "label": "Act", + "key": "C", + "description": "The vulnerability requires immediate action by the relevant leadership. The action is a high-priority meeting among the relevant supervisors to decide how to respond.", + "color": "#dc3545" + } + ] + } + ], + "decisions_table": [ + { + "Exploitation": "none", + "Automatable": "no", + "Technical Impact": "partial", + "Mission & Well-being": "low", + "Decision": "Track" + }, + { + "Decision": "Track", + "Exploitation": "none", + "Automatable": "no", + "Technical Impact": "partial", + "Mission & Well-being": "medium" + }, + { + "Decision": "Track", + "Exploitation": "none", + "Automatable": "no", + "Technical Impact": "partial", + "Mission & Well-being": "high" + }, + { + "Decision": "Track", + "Exploitation": "none", + "Automatable": "no", + "Technical Impact": "total", + "Mission & Well-being": "low" + }, + { + "Decision": "Track", + "Exploitation": "none", + "Automatable": "no", + "Technical Impact": "total", + "Mission & Well-being": "medium" + }, + { + "Decision": "Track*", + "Exploitation": "none", + "Automatable": "no", + "Technical Impact": "total", + "Mission & Well-being": "high" + }, + { + "Decision": "Track", + "Exploitation": "none", + "Automatable": "yes", + "Technical Impact": "partial", + "Mission & Well-being": "low" + }, + { + "Decision": "Track", + "Exploitation": "none", + "Automatable": "yes", + "Technical Impact": "partial", + "Mission & Well-being": "medium" + }, + { + "Decision": "Attend", + "Exploitation": "none", + "Automatable": "yes", + "Technical Impact": "partial", + "Mission & Well-being": "high" + }, + { + "Decision": "Track", + "Exploitation": "none", + "Automatable": "yes", + "Technical Impact": "total", + "Mission & Well-being": "low" + }, + { + "Decision": "Track", + "Exploitation": "none", + "Automatable": "yes", + "Technical Impact": "total", + "Mission & Well-being": "medium" + }, + { + "Decision": "Attend", + "Exploitation": "none", + "Automatable": "yes", + "Technical Impact": "total", + "Mission & Well-being": "high" + }, + { + "Decision": "Track", + "Exploitation": "poc", + "Automatable": "no", + "Technical Impact": "partial", + "Mission & Well-being": "low" + }, + { + "Decision": "Track", + "Exploitation": "poc", + "Automatable": "no", + "Technical Impact": "partial", + "Mission & Well-being": "medium" + }, + { + "Decision": "Track*", + "Exploitation": "poc", + "Automatable": "no", + "Technical Impact": "partial", + "Mission & Well-being": "high" + }, + { + "Decision": "Track", + "Exploitation": "poc", + "Automatable": "no", + "Technical Impact": "total", + "Mission & Well-being": "low" + }, + { + "Decision": "Track*", + "Exploitation": "poc", + "Automatable": "no", + "Technical Impact": "total", + "Mission & Well-being": "medium" + }, + { + "Decision": "Attend", + "Exploitation": "poc", + "Automatable": "no", + "Technical Impact": "total", + "Mission & Well-being": "high" + }, + { + "Decision": "Track", + "Exploitation": "poc", + "Automatable": "yes", + "Technical Impact": "partial", + "Mission & Well-being": "low" + }, + { + "Decision": "Track", + "Exploitation": "poc", + "Automatable": "yes", + "Technical Impact": "partial", + "Mission & Well-being": "medium" + }, + { + "Decision": "Attend", + "Exploitation": "poc", + "Automatable": "yes", + "Technical Impact": "partial", + "Mission & Well-being": "high" + }, + { + "Decision": "Track", + "Exploitation": "poc", + "Automatable": "yes", + "Technical Impact": "total", + "Mission & Well-being": "low" + }, + { + "Decision": "Track*", + "Exploitation": "poc", + "Automatable": "yes", + "Technical Impact": "total", + "Mission & Well-being": "medium" + }, + { + "Decision": "Attend", + "Exploitation": "poc", + "Automatable": "yes", + "Technical Impact": "total", + "Mission & Well-being": "high" + }, + { + "Decision": "Track", + "Exploitation": "active", + "Automatable": "no", + "Technical Impact": "partial", + "Mission & Well-being": "low" + }, + { + "Decision": "Track", + "Exploitation": "active", + "Automatable": "no", + "Technical Impact": "partial", + "Mission & Well-being": "medium" + }, + { + "Decision": "Attend", + "Exploitation": "active", + "Automatable": "no", + "Technical Impact": "partial", + "Mission & Well-being": "high" + }, + { + "Decision": "Track", + "Exploitation": "active", + "Automatable": "no", + "Technical Impact": "total", + "Mission & Well-being": "low" + }, + { + "Decision": "Attend", + "Exploitation": "active", + "Automatable": "no", + "Technical Impact": "total", + "Mission & Well-being": "medium" + }, + { + "Decision": "Act", + "Exploitation": "active", + "Automatable": "no", + "Technical Impact": "total", + "Mission & Well-being": "high" + }, + { + "Decision": "Attend", + "Exploitation": "active", + "Automatable": "yes", + "Technical Impact": "partial", + "Mission & Well-being": "low" + }, + { + "Decision": "Attend", + "Exploitation": "active", + "Automatable": "yes", + "Technical Impact": "partial", + "Mission & Well-being": "medium" + }, + { + "Decision": "Act", + "Exploitation": "active", + "Automatable": "yes", + "Technical Impact": "partial", + "Mission & Well-being": "high" + }, + { + "Decision": "Attend", + "Exploitation": "active", + "Automatable": "yes", + "Technical Impact": "total", + "Mission & Well-being": "low" + }, + { + "Decision": "Act", + "Exploitation": "active", + "Automatable": "yes", + "Technical Impact": "total", + "Mission & Well-being": "medium" + }, + { + "Decision": "Act", + "Exploitation": "active", + "Automatable": "yes", + "Technical Impact": "total", + "Mission & Well-being": "high" + } + ], + "lang": "en", + "version": "2.0", + "title": "CISA Coordinator v2.0.3" +} diff --git a/ssvc-calc/SSVC_Computed_v2.03.schema.json b/ssvc-calc/SSVC_Computed_v2.03.schema.json new file mode 120000 index 00000000..d5035868 --- /dev/null +++ b/ssvc-calc/SSVC_Computed_v2.03.schema.json @@ -0,0 +1 @@ +../data/schema/SSVC_Computed_v2.03.schema.json \ No newline at end of file diff --git a/ssvc-calc/SSVC_Provision_v2.03.schema.json b/ssvc-calc/SSVC_Provision_v2.03.schema.json new file mode 120000 index 00000000..91b7f6e4 --- /dev/null +++ b/ssvc-calc/SSVC_Provision_v2.03.schema.json @@ -0,0 +1 @@ +../data/schema/SSVC_Provision_v2.03.schema.json \ No newline at end of file diff --git a/ssvc-calc/Supplier-v2.0.0.json b/ssvc-calc/Supplier-v2.0.0.json new file mode 100644 index 00000000..94908f15 --- /dev/null +++ b/ssvc-calc/Supplier-v2.0.0.json @@ -0,0 +1,500 @@ +{ + "decision_points": [ + { + "label": "Exploitation", + "decision_type": "simple", + "key": "E", + "options": [ + { + "label": "none", + "key": "N", + "description": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability." + }, + { + "label": "poc", + "key": "P", + "description": "One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit or ExploitDB; or (4) the vulnerability has a well-known method of exploitation. Some examples of condition (4) are open-source web proxies serve as the PoC code for how to exploit any vulnerability in the vein of improper validation of TLS certificates. As another example, Wireshark serves as a PoC for packet replay attacks on ethernet or WiFi networks." + }, + { + "label": "active", + "key": "A", + "description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting." + } + ] + }, + { + "label": "Automatable", + "key": "A", + "decision_type": "simple", + "options": [ + { + "label": "no", + "key": "N", + "description": "Steps 1-4 of the kill chain cannot be reliably automated for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation. Example reasons for why a step may not be reliably automatable include (1) the vulnerable component is not searchable or enumerable on the network, (2) weaponization may require human direction for each target, (3) delivery may require channels that widely deployed network security configurations block, and (4) exploitation may be frustrated by adequate exploit-prevention techniques enabled by default; ASLR is an example of an exploit-prevention tool." + }, + { + "label": "yes", + "key": "Y", + "description": "Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows unauthenticated remote code execution (RCE) or command injection, the response is likely yes." + } + ] + }, + { + "label": "Value Density", + "key": "V", + "decision_type": "simple", + "options": [ + { + "label": "diffuse", + "key": "D", + "description": "The system that contains the vulnerable component has limited resources. That is, the resources that the adversary will gain control over with a single exploitation event are relatively small. Examples of systems with diffuse value are email accounts, most consumer online banking accounts, common cell phones, and most personal computing resources owned and maintained by users. (A “user” is anyone whose professional task is something other than the maintenance of the system or component. As with Safety Impact, a “system operator” is anyone who is professionally responsible for the proper operation or maintenance of a system.)" + }, + { + "label": "concentrated", + "key": "C", + "description": "The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users. Examples of concentrated value are database systems, Kerberos servers, web servers hosting login pages, and cloud service providers. However, usefulness and uniqueness of the resources on the vulnerable system also inform value density. For example, encrypted mobile messaging platforms may have concentrated value, not because each phone’s messaging history has a particularly large amount of data, but because it is uniquely valuable to law enforcement." + } + ] + }, + { + "decision_type": "complex", + "label": "Utility", + "key": "U", + "children": [ + { + "label": "Automatable" + }, + { + "label": "Value Density" + } + ], + "options": [ + { + "label": "laborious", + "description": "No to automatable and diffuse value", + "child_combinations": [ + [ + { + "child_label": "Automatable", + "child_key": "A", + "child_option_labels": [ + "no" + ], + "child_option_keys": [ + "N" + ] + }, + { + "child_label": "Value Density", + "child_key": "V", + "child_option_labels": [ + "diffuse" + ], + "child_option_keys": [ + "D" + ] + } + ] + ] + }, + { + "label": "efficient", + "description": "{Yes to automatable and diffuse value} OR {No to automatable and concentrated value}", + "child_combinations": [ + [ + { + "child_label": "Automatable", + "child_key": "A", + "child_option_labels": [ + "no" + ], + "child_option_keys": [ + "N" + ] + }, + { + "child_label": "Value Density", + "child_key": "V", + "child_option_labels": [ + "concentrated" + ], + "child_option_keys": [ + "C" + ] + } + ], + [ + { + "child_label": "Automatable", + "child_key": "A", + "child_option_labels": [ + "yes" + ], + "child_option_keys": [ + "Y" + ] + }, + { + "child_label": "Value Density", + "child_key": "V", + "child_option_labels": [ + "diffuse" + ], + "child_option_keys": [ + "D" + ] + } + ] + + ] + }, + { + "label": "super effective", + "description": "Yes to automatable and concentrated value", + "child_combinations": [ + [ + { + "child_label": "Automatable", + "child_key": "A", + "child_option_labels": [ + "yes" + ], + "child_option_keys": [ + "Y" + ] + }, + { + "child_label": "Value Density", + "child_key": "V", + "child_option_labels": [ + "concentrated" + ], + "child_option_keys": [ + "C" + ] + } + ] + ] + } + ] + + }, + { + "label": "Technical Impact", + "key": "T", + "decision_type": "simple", + "options": [ + { + "label": "partial", + "key": "P", + "description": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control. In this context, \"low\" means that the attacker cannot reasona-bly make enough attempts to overcome the low chance of each attempt not working. Denial of service is a form of limited control over the behavior of the vulnerable component." + }, + { + "label": "total", + "key": "T", + "description": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability." + } + ] + }, + { + "label": "Public-Safety Impact", + "key": "P", + "decision_type": "simple", + "options": [ + { + "label": "minimal", + "description": "Safety Impact of None or Minor" + }, + { + "label": "significant", + "description": "Safety Impact of Major, Hazardous, or Catastrophic" + } + ] + }, + { + "decision_type": "final", + "label": "Priority", + "key": "R", + "options": [ + { + "label": "defer", + "description": "Do not work on the patch at present.", + "color": "#28a745" + }, + { + "label": "scheduled", + "description": "Develop a fix within regularly scheduled maintenance using supplier resources as normal.", + "color": "#ffc107" + }, + { + "label": "out-of-cycle", + "description": "Develop mitigation or remediation out-of-cycle, taking resources away from other projects and releasing the fix as a security patch when it is ready.", + "color": "#EE8733" + }, + { + "label": "immediate", + "description": "Develop and release a fix as quickly as possible, drawing on all available resources, potentially including drawing on or coordinating resources from other parts of the organization.", + "color": "#dc3545" + } + ] + + } + ], + "decisions_table": [ + { + "Exploitation": "none", + "Utility": "laborious", + "Technical Impact": "partial", + "Public-Safety Impact": "minimal", + "Priority": "defer" + }, + { + "Exploitation": "none", + "Utility": "laborious", + "Technical Impact": "partial", + "Public-Safety Impact": "significant", + "Priority": "scheduled" + }, + { + "Exploitation": "none", + "Utility": "laborious", + "Technical Impact": "total", + "Public-Safety Impact": "minimal", + "Priority": "defer" + }, + { + "Exploitation": "none", + "Utility": "laborious", + "Technical Impact": "total", + "Public-Safety Impact": "significant", + "Priority": "out-of-cycle" + }, + { + "Exploitation": "none", + "Utility": "efficient", + "Technical Impact": "partial", + "Public-Safety Impact": "minimal", + "Priority": "scheduled" + }, + { + "Exploitation": "none", + "Utility": "efficient", + "Technical Impact": "partial", + "Public-Safety Impact": "significant", + "Priority": "out-of-cycle" + }, + { + "Exploitation": "none", + "Utility": "efficient", + "Technical Impact": "total", + "Public-Safety Impact": "minimal", + "Priority": "scheduled" + }, + { + "Exploitation": "none", + "Utility": "efficient", + "Technical Impact": "total", + "Public-Safety Impact": "significant", + "Priority": "out-of-cycle" + }, + { + "Exploitation": "none", + "Utility": "super effective", + "Technical Impact": "partial", + "Public-Safety Impact": "minimal", + "Priority": "scheduled" + }, + { + "Exploitation": "none", + "Utility": "super effective", + "Technical Impact": "partial", + "Public-Safety Impact": "significant", + "Priority": "out-of-cycle" + }, + { + "Exploitation": "none", + "Utility": "super effective", + "Technical Impact": "total", + "Public-Safety Impact": "minimal", + "Priority": "scheduled" + }, + { + "Exploitation": "none", + "Utility": "super effective", + "Technical Impact": "total", + "Public-Safety Impact": "significant", + "Priority": "out-of-cycle" + }, + { + "Exploitation": "PoC", + "Utility": "laborious", + "Technical Impact": "partial", + "Public-Safety Impact": "minimal", + "Priority": "scheduled" + }, + { + "Exploitation": "PoC", + "Utility": "laborious", + "Technical Impact": "partial", + "Public-Safety Impact": "significant", + "Priority": "out-of-cycle" + }, + { + "Exploitation": "PoC", + "Utility": "laborious", + "Technical Impact": "total", + "Public-Safety Impact": "minimal", + "Priority": "scheduled" + }, + { + "Exploitation": "PoC", + "Utility": "laborious", + "Technical Impact": "total", + "Public-Safety Impact": "significant", + "Priority": "immediate" + }, + { + "Exploitation": "PoC", + "Utility": "efficient", + "Technical Impact": "partial", + "Public-Safety Impact": "minimal", + "Priority": "scheduled" + }, + { + "Exploitation": "PoC", + "Utility": "efficient", + "Technical Impact": "partial", + "Public-Safety Impact": "significant", + "Priority": "immediate" + }, + { + "Exploitation": "PoC", + "Utility": "efficient", + "Technical Impact": "total", + "Public-Safety Impact": "minimal", + "Priority": "out-of-cycle" + }, + { + "Exploitation": "PoC", + "Utility": "efficient", + "Technical Impact": "total", + "Public-Safety Impact": "significant", + "Priority": "immediate" + }, + { + "Exploitation": "PoC", + "Utility": "super effective", + "Technical Impact": "partial", + "Public-Safety Impact": "minimal", + "Priority": "out-of-cycle" + }, + { + "Exploitation": "PoC", + "Utility": "super effective", + "Technical Impact": "partial", + "Public-Safety Impact": "significant", + "Priority": "immediate" + }, + { + "Exploitation": "PoC", + "Utility": "super effective", + "Technical Impact": "total", + "Public-Safety Impact": "minimal", + "Priority": "out-of-cycle" + }, + { + "Exploitation": "PoC", + "Utility": "super effective", + "Technical Impact": "total", + "Public-Safety Impact": "significant", + "Priority": "immediate" + }, + { + "Exploitation": "active", + "Utility": "laborious", + "Technical Impact": "partial", + "Public-Safety Impact": "minimal", + "Priority": "out-of-cycle" + }, + { + "Exploitation": "active", + "Utility": "laborious", + "Technical Impact": "partial", + "Public-Safety Impact": "significant", + "Priority": "immediate" + }, + { + "Exploitation": "active", + "Utility": "laborious", + "Technical Impact": "total", + "Public-Safety Impact": "minimal", + "Priority": "out-of-cycle" + }, + { + "Exploitation": "active", + "Utility": "laborious", + "Technical Impact": "total", + "Public-Safety Impact": "significant", + "Priority": "immediate" + }, + { + "Exploitation": "active", + "Utility": "efficient", + "Technical Impact": "partial", + "Public-Safety Impact": "minimal", + "Priority": "out-of-cycle" + }, + { + "Exploitation": "active", + "Utility": "efficient", + "Technical Impact": "partial", + "Public-Safety Impact": "significant", + "Priority": "immediate" + }, + { + "Exploitation": "active", + "Utility": "efficient", + "Technical Impact": "total", + "Public-Safety Impact": "minimal", + "Priority": "out-of-cycle" + }, + { + "Exploitation": "active", + "Utility": "efficient", + "Technical Impact": "total", + "Public-Safety Impact": "significant", + "Priority": "immediate" + }, + { + "Exploitation": "active", + "Utility": "super effective", + "Technical Impact": "partial", + "Public-Safety Impact": "minimal", + "Priority": "immediate" + }, + { + "Exploitation": "active", + "Utility": "super effective", + "Technical Impact": "partial", + "Public-Safety Impact": "significant", + "Priority": "immediate" + }, + { + "Exploitation": "active", + "Utility": "super effective", + "Technical Impact": "total", + "Public-Safety Impact": "minimal", + "Priority": "immediate" + }, + { + "Exploitation": "active", + "Utility": "super effective", + "Technical Impact": "total", + "Public-Safety Impact": "significant", + "Priority": "immediate" + } + ], + "lang": "en", + "version": "2.0", + "title": "Supplier v2.0.0" +} diff --git a/ssvc-calc/css.css b/ssvc-calc/css.css index 1518016e..ea6386ee 100644 --- a/ssvc-calc/css.css +++ b/ssvc-calc/css.css @@ -1,4 +1,16 @@ -/* css version 2.2 */ +/* css version 2.2.3 */ +.not-highlighted { + opacity: 0.5; + border: 0; +} +.highlighted { + opacity: 1; + border: 1px solid red; +} + +#contacts { + display: inline-block; +} .icon8 { width:14px; filter:invert(1); diff --git a/ssvc-calc/index.html b/ssvc-calc/index.html index 3e854344..c06571a3 100644 --- a/ssvc-calc/index.html +++ b/ssvc-calc/index.html @@ -23,17 +23,17 @@ async defer integrity="sha384-N8EP0Yml0jN7e0DcXlZ6rt+iqKU9Ck6f1ZQ+j2puxatnBq4k9E8Q6vqBcY34LNbn" crossorigin="anonymous"> - - + - CERT Logo
-
+