Risk Assessment means that, according to the system environment for each enterprise, you
comprehensively determine your degree of urgency based on the information gathered in " "). In the
environment for which you have properly implemented hardening as described in Chapter 2
"Hardening", you will often find that an "urgent application" is unnecessary because the degree of
urgency is lower than that in the environment for which hardening has not been implemented.
Microsoft applies the severity rating system to each Microsoft report on security vulnerability to help you
determine the urgency of applying the security update program. The following table lists the ratings and
their definitions. However, this rating information is based on the assumption that you have not
implemented hardening for your system. You should determine the degree of urgency for your
enterprise by comprehensively assessing such aspects as the importance of your system and the state
of your hardening implementation. In the environment for which you have properly implemented
hardening as described in Chapter 2 "Hardening", the degree of urgency is less critical than in the
environment for which hardening has not been implemented.
Table 15: Sites Providing Information on Security Vulnerability
Site Name
S
Address
A
A
Microsoft Security Bulletin Summaries
M
http://www.microsoft.com/technet/security/bulletin/summary.mspx
h
Microsoft TechNet Security
Center
C
http://www.microsoft.com/technet/security/default.mspx
h
Microsoft Security Notification
Service
S
http://www.microsoft.com/technet/security/bulletin/notify.mspx
h
For more information, see the Microsoft Security Response Center Security Bulletin Severity Rating
System (http://www.microsoft.com/technet/security/bulletin/rating.mspx).
This whitepaper uses four categories to describe the urgency of applying the security update program:
"Urgent application", "Applying during regular operation", "Applying with the service pack", and "No
application". Determine the appropriate emergency assessment category to suit your operation
depending on your system environment and security policies.
Table 16: Definitions of the Severity Ratings
Rating
R
Definition
D
D
Critical
C
Describes vulnerability that, if exploited, could allow propagation of an
Internet worm without user action.
I
Important
I
Describes vulnerability that, if exploited, could
compromise user data confidentiality, integrity, or availability, as well as compromise the integrity
or availability of processing resources.
o
Moderate
M
Describes vulnerability for which the possibility
of exploitation is significantly lessened by the existing configuration, or by the difficulty of
infiltration or exploitation.
i
Low
L
Describes vulnerability that is extremely difficult to exploit or the
exploitation of which has minimal impact.
e
Example of the Emergency Assessment Categories
Determine the appropriate emergency assessment category to suit your operation depending on your system environment and security policies.
Urgent application
Apply within 1 month.
Applying during the regular course of operation
At least once every 3 to 6 months.
Applying with the service pack
When installing the next service pack.
No application
Additional information: You can also obtain general emergency assessment from
http://www.microsoft.com/technet/itsolutions/techguide/msm/default.mspx.
However, this example of the emergency assessment categories was written based on actual SAP-
related consulting cases provided by Microsoft Consulting Services with some changes added. You
should consider the trade-offs among various assessment factors, such as your hardening
circumstances, risks, costs, time necessary to assess the security update program, and other
practicalities, when deciding your emergency assessment category.
Assessing the Consequences and Urgency of the Vulnerability
As described above, Microsoft releases information about security vulnerability once a month. But
taking measures against all security vulnerabilities would increase costs and shutdown times for your
system resulting in decreased availability. Since the consequences of the vulnerability vary depending
on the environment, it is important to determine the degree of urgency for your particular situation.
Even if the maximum severity rating of the security vulnerability is "Critical", if you do not use that
particular vulnerable service, in many cases you can respond to the vulnerability by application during
the regular course of operation (once every 3 to 6 months) or by application with the next service pack
(when installing the next service pack). To reduce the operational cost involved in applying the security
update program and to maintain high availability, you can create a matrix as one method for
determining the consequences of the vulnerability and the degree of urgency. It will be referred to as
the vulnerability assessment matrix in this whitepaper.
What is a Vulnerability Assessment Matrix?
The vulnerability assessment matrix is a matrix that can help you to determine the consequences of the
vulnerability on your system and the countermeasures to take against it, even if your system
environment is complex. You can create the matrix based on the information provided by Microsoft
about the security vulnerability.
Example of a Method for Determining the Degree of Urgency
Determine the appropriate emergency assessment category to suit your operation depending on your system environment and security policies.Creating the Vulnerability Assessment Matrix
The vulnerability assessment matrix consists of three major parts: "Organizing the information about the
security vulnerability", "Assessing the pros and cons of the risk", and "Determining the degree of
urgency for applying the security update program for each enterprise" (see Error: Reference source not
found. Once you organize the information about the security vulnerability, you can create the steps
"Organizing the information about the security vulnerability" and "Assessing the pros and cons of the
risk". The portion "Organizing the information about the security vulnerability" is taken from the monthly
Security Bulletin described in section , “" (summarized from
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx, for example), available from the
Microsoft Security Bulletin Summaries at
http://www.microsoft.com/technet/security/bulletin/summary.mspx. For the contents of the excerpt, see
the following section, "Organizing the Information about the Security Vulnerability". The part "Assessing
the pros and cons of the risk" is created based on the information organized in the "Organizing the
Information about the Security Vulnerability" along with your system configuration, and provides the
criteria for determining the degree of urgency. By this determination, you can decide when to apply the
security update program.
To create the vulnerability assessment matrix, you must perform the following steps.
Figure 31 – Process for Creating the Vulnerability Assessment Matrix
Organizing the Information about Security Vulnerability
In this step, you organize the following information about the security vulnerability.
Consequences of the vulnerability
Maximum severity rating
Affected software
Technical details
o
Technical description
o
Mitigating factors
Workarounds
Information about the security update program
o
Restart requirement
Step 1: Organizing Information about Security Vulnerability
Step 2: Assessing Pros and Cons of Risks
o
Information about uninstalling the program
Assessing the Pros and Cons of the Risk
Assess each criterion based on the information from the step "Organizing the Information about
Security Vulnerability".
Are there consequences of the vulnerability?
o
Is there an affected OS?
o
Are there affected products or functionality?
Is it possible for someone to attack anonymously? (simply an open port makes such an
attack possible)
Is it possible for someone to obtain or upgrade privileges?
There is no effective workaround.
Is it possible that the hardening implemented by each enterprise is not effective?
Determining the Degree of Urgency
The degree of urgency for each enterprise is determined by the result of the step "Assessing the Pros
and Cons of the Risk". See below for examples. In the first example, the determination is "Urgent
application" because all the criteria in "Assessing the Pros and Cons of the Risk" apply to the system. In
the second example, tError: Reference source not foundhe determination is "Applying during regular
operation" because the criterion "Your system is affected by the vulnerability" applies to the system and
the maximum severity rating is "Important". The determination will vary depending on system
configurations and environments.
Table 17: Determining Whether to Apply the Security Update Program
Determination
D
Criteria
C
C
Urgent application
U
All the criteria in the "Assessing the Pros and Cons of
the Risk" apply to your system.
t
Applying during regular operation
A
The criterion "Are there
consequences of the vulnerability?" applies to your system and the maximum severity rating is
"Critical" or "Important".
"
Applying with the service pack
A
The criterion "Are there consequences of
the vulnerability?" applies to your system and the maximum severity rating is other than "Critical"
or "Important".
o
No application
N
Your system is not affected.
Y
To help in the determination of whether to apply the security update program, you may want to create a
flowchart. Note that the flowchart will vary according to system configurations and environments.
Error: Reference source not found
Figure 32 – Sample Flowchart for Determining Whether to Apply the
Security Update Program
Urgent application Apply during the regular course of operation Apply with the service pack
YES NO YES NO Affected by the Pros/Cons of the Risk
Pros and Cons of the Risk: All criteria apply
to the system. No application YES NO Maximum severity is "Critical" or "Important" Start
Table 18: Vulnerability Assessment Matrix
Determination Sample 1 - Hardening has not been Implemented
Step 1: Organizing the Information about Security Vulnerability
Security Bulletin No. S
MS03-026 M
M
URL for information about the vulnerability
v
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx h
h
Original release date of the vulnerability information report
i
July 17, 2003
J
Time elapsed between information release and occurrence of computer virus-
-
Affected software
s
Microsoft Windows NT Server 4.0 Microsoft Windows NT Server 4.0
Terminal Server Edition Microsoft Windows 2000 Microsoft Windows XP
Microsoft Windows Server 2003 M
M
Maximum Severity Rating M
Critical C
C
Nature of the vulnerability N
Buffer overruns in RPC interface could allow code execution (823980) (MS03-026)
c
c
Characteristics C
There is vulnerability in a part of RPC that handles message exchange over TCP/IP. The issue stems from incorrect handling of illegal messages.Mitigating factors M
In order to exploit this vulnerability, the attacker would need to have specially altered or sent a request to port 135, 139, 445 on the remote machine, or to another port configured for RPC.
r
r
Restart required R Yes YY
This security update program can be uninstalled
u
Yes Y
Y
Step 2: Assessing the Pros and Cons of the Risk
Pros and Cons of the Risk
o
Are there consequences of the vulnerability? A
Yes Y
Y
Y
Is there an affected OS? I
Yes Y
Y
Y
Are there affected products or functionality?
fff
f
Is it possible for someone to attack anonymously? I
Yes Y
Y
Is it possible for someone to obtain privileges? I
Yes Y
Y
There is no effective workaround. T
Yes Y
Y
Is it possible that the hardening implemented by each enterprise is not effective?
e
Yes Y
Step 3: Determining Degree of Urgency for Applying Security Update Program for each Enterprise
Determination D
Urgent application.
(After hardening is implemented, the degree of urgency will be lessened.) (
Table 19: Vulnerability Assessment Matrix
Determination Sample 2 - Hardening has not been Implemented
Step 1: Organizing the Information about Security Vulnerability
Security Bulletin No. S
MS04-003
M
URL for information about the vulnerability
v
http://www.microsoft.com/technet/security/bulletin/MS04-003.mspx
h
Original release date of the vulnerability information report
i
January 14, 2004
J
Time elapsed between information release and occurrence of computer virus T -
-
Affected software s Microsoft WindowsM
Maximum Severity Rating M
Important
I
Nature of the vulnerability N
Buffer overrun in MDAC function could allow code execution (832483)
c
Characteristics C
Microsoft Data Access Components (MDAC) is a collection of components that provides the underlying functionality for a number of database operations, such as connecting to remote databases and returning data to a client.
d
Mitigating factors M
For an attack to be successful, an attacker would have to simulate an SQL server that is on the same IP subnet as the target system.
s
Restart required R
Yes
Y
This security update program can be uninstalled
p
No
N
Step 2: Assessing the Pros and Cons of the Risk
Pros and Cons of the Risk
o
Are there consequences of the vulnerability? A
Yes Y
Y
Y
Is there an affected OS? I
Yes Y
Y
Y
Are there affected products or functionality?
f
- -
-
Is it possible for someone to attack anonymously? I
No N
N
Is it possible for someone to obtain privileges? I
Yes Y
Y
There is no effective workaround. T
No N
N
Is it possible that the hardening implemented by each enterprise is not effective?
e
Yes Y
Step 3: Determining Degree of Urgency for Applying Security Update Program for each Enterprise
Determination D
Apply during the regular course of operation.
(After implementing hardening, the degree of urgency will be lessened.) (
Table 20: Vulnerability Assessment Matrix
Determination Sample 3 - Hardening has not been Implemented
Step 1: Organizing the Information about Security Vulnerability
Security Bulletin No. S
MS04-006
M
URL for information about the vulnerability
v
http://www.microsoft.com/technet/security/bulletin/MS04-006.mspx
h
Original release date of the vulnerability information report
i
February 11, 2004
F
Time elapsed between information release and occurrence of computer virus T - -
-
Affected software sMicrosoft Windows NT Server
M
Maximum Severity Rating M
Microsoft Windows 2000 Server
M
Nature of the vulnerability
v
Microsoft Windows Server 2003
M
Characteristics C ImportantI
Mitigating factors MVulnerability in the Windows Internet Naming Service (WINS) could allow code execution (830352)
N
Restart required R
A security vulnerability exists in the Windows Internet Naming Service (WINS). This vulnerability exists because of the method that WINS uses to validate the length of specially-crafted packets.
s
This security update program can be uninstalled T
The WINS service is not installed by default.
T
Step 2: Assessing the Pros and Cons of the Risk
Pros and Cons of the Risk
o
Are there consequences of the vulnerability? A
No N
N
N
Is there an affected OS? I
No N
N
N
Are there affected products or functionality?
f
No N
N
Is it possible for someone to attack anonymously? I
No N
N
Is it possible for someone to obtain privileges? I
No N
N
There is no effective workaround. T
No N
N
Is it possible that the hardening implemented by each enterprise is not effective? Yes
Y
Step 3: Determining Degree of Urgency for Applying Security Update Program for each Enterprise
Determination D
Only needs to be applied to the WINS server. Application to the WINS server during regular operation.
(After hardening is implemented, the degree of urgency will be lessened.) (