Gauging the Severity of Software Feature MisuseNIST Scoring System Assesses Risk of Software Features
It's a common IT security axiom: no system is ever fully secure. Every system has vulnerabilities.
To help organizations minimize those vulnerabilities, the National Institute of Standards and Technology has issued a new guide that describes a scoring system information security managers can use to assess the severity of security risks arising from software features.
NIST Interagency Report 7864 - The Common Misuse Scoring System: Metrics for Software Feature Misuse Vulnerabilities - provides a systematic way for organizations to determine the severity of software feature misuse - dangerous or illicit e-mail practices, for example - so enterprises can determine how to handle the problem.
While attention often focuses on software flaws such as system crashes, software features also introduce vulnerabilities. Intentional or accidental misuse of software features has the potential to leak sensitive information, corrupt data or reduce system availability, NIST says.
NIST categorizes software vulnerabilities in three general categories:
- Software flaws, such as coding errors that allow security breaches.
- Configuration vulnerabilities, which come from setting the software up improperly. That allows program access to data it shouldn't see.
- Software feature misuse. Though a more subtle problem, software feature misuse could allow savvy attackers to violate the trust assumptions that are inherent in software features to subvert a system's security.
Guidance co-author Karen Scarfone cites, as an example, malicious users who undermine the security of e-mail software. "Two common problems are social engineering and insider threats," she says.
When users open up a bad e-mail attachment or link, the hackers who sent the e-mail can access the organization's computer network to steal valuable information or bring it down. Malicious users can use e-mail attachments to send out valuable company data or documents to outsiders. Both problems can be very expensive, costing organizations money, exposing valuable data and hurting the company's reputation.
NIST says the Common Misuse Scoring System specification allows risk assessment managers to determine vulnerability's potential affect on the network so they can remediation steps to secure the system. The Common Misuse Scoring System is designed to work with existing scoring systems - Common Vulnerability and Common Configuration - developed by NIST to categorize software flaw vulnerabilities and security configuration issues.