Re: Universal vs. Environmental Policy, and the "vulnerability" term
>If we can agree that it makes sense to distinguish between Universal
>Policy Violations (UPV) and Environmental Policy Violations (EPV),
>then is an EPV a "vulnerability"?
No, but see below. A policy violation may result from misplaced trust
(sabotage, incompetence, negligence, etc...) as well as an attack on a
vulnerability. Therefore EPVs are a superset of what can be done with
vulnerabilities, and other things too. To be a vulnerability, a fault must
be exploitable to result in a policy violation, but a policy violation does
not necessarily map back to a single specific low-level vulnerability.
There is some confusion in this debate between detecting policy violations
(e.g., service x is running), suggesting low-level policies (e.g., service
x should not be running because its design is unsecure), low-level
vulnerabilities, and macro-system-level vulnerabilities -- let's call those
"macrovulnerabilities". Let me define macrovulnerabilities as
vulnerabilities that arise from the assembly of services, hardware and
software in a specific environment, while each of those individually does
what it is supposed to do and nothing else.
Let me go back to the fundamental rule of security: security through
obscurity is not security. Therefore, services that enable the gathering
of information are not real vulnerabilities or macrovulnerabilities. If
having them running makes such a difference to your perceived security,
then maybe your systems are not secure. I am against including those in
the CVE. If we make the CVE a list of Bad Ideas, it will grow to infinity.
Are services unsecure because they contain vulnerabilities, or because they
are ill-designed services for which no implementation can ever be secure?
In the first case, there should be a CVE entry for those vulnerabilities
but not the service. If having the latter kind running allows someone to
circumvent other common policies, then the service is a macrovulnerability.
I think that services falling in this category deserve a CVE entry. In
such a case I believe that there can be a one-to-one mapping between a
macrovulnerability and low-level policy.
Does this make sense?
Microsoft Windows is also a way of thinking - or not thinking, to be more
-- RA Downes Radsoft Laboratories