The Path to Information Security sometimes seems like the road to hell. Security is not something that has a completely flat path. There are layers, not like the desirable parfait, but like an onion. Like the hell that Dante discribed at each layer lives an even worth threat, a worse sin committed.
Threats and vulnerabilities do not seem to be categorized the same way. LOW, MEDIUM, HIGH… RED, YELLOW, GREEN… It doesn’t mean anything. Threats should be categorized and ranked based on the ease of exploit, the level of automation available, and the ease of remediation.
And thats where HELL comes in…
Nine Levels with the center being the dreaded 0-day… with limbo or level 1 populated by 100% automated attacks… things “script kiddies” use and should always be plugged because its super easy. Each level gets harder. Each level of attack requires a increasing level of skill to accomplish, but can also have a higher degree of remediation. I propose such a scale due to the complaints Ive seen, and heard about some testers ignoring “script kiddie” stuff, or claiming “you don’t test for that, because anyone can do it”… But thats the point… If any one can do it you need to fix it first, you need to fix it faster, and then you get to move onto the “l33t” hacks. 30 minutes to hack with a super “l33t” 0-day or 5 minutes with a script…
Its Up to us the InfoSec community to make these issues meaningful to the suits and systems admins we work with. Its our JOB to do the basic’s, because there are plenty of people who will try the basic’s on us.
