0

Given a situation where a system has SSL 3.0 and TLS 1.0 enabled would the following mapping be accurate:

Weakness/vulnerability: The remote service accepts connections encrypted using TLS 1.0 and SSL 3.0.

Threat: An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications between the affected service and clients

Risk = Threat × Vulnerability: So in the above case, we would calculate risk by looking at the probability that an attacker can exploit flaws in the TLS 1.0 and SSL 3.0 protocols?

Are my assumptions correct?

Anders
  • 64,406
  • 24
  • 178
  • 215
user211245
  • 79
  • 3
  • 1
    A risk can be calculated strictly by taking into consideration the probability of a vulnerability to be exploited multiplied by the severity (the damage done) in case it is. The probability of a vulnerability to be exploited is given by its existence and how well it is known, how much it was exploited in the past. An older well documented vulnerability will have a higher chance to be exploited compared to a newer undocumented one. – Overmind Feb 10 '20 at 08:03
  • ok, but am I right to what the **threat** in the above example is ? – user211245 Feb 10 '20 at 08:21
  • 1
    It's an a matter that can be interpreted. You can state that the threat is only the possible attacker, or you can state that the threat can be considered the attacker+the vulnerability, because if you are immune to the vulnerability there is no threat even if there is an attacker. – Overmind Feb 10 '20 at 08:38
  • @Overmind risk can also be calculated without "impact" by using the Threat × Vulnerability approach (it basically just assesses general likelihood). It's more of a measure of "exposure". – schroeder Feb 13 '20 at 21:45
  • @user211245 why do you want to calculate risk and what will you do with the assessment? The answer will help refine answers. – schroeder Feb 13 '20 at 21:47

0 Answers0