Enumeration of Technical Impacts
Each weakness, if successfully exploited, can lead to one or more potential Technical Impacts:
- Modify data
- Read data
- DoS: unreliable execution
- DoS: resource consumption
- Execute unauthorized code or commands
- Gain privileges / assume identity
- Bypass protection mechanism
- Hide activities
Note that some of these items are abstractions of the technical impact enumeration used in CWE 2.0, which includes values such as Modify
memory, Read application data, memory consumption, etc. Such values
are overly specific with limited flexibility, which was addressed by using layers.
Within CWRAF and CWSS, the successful exploitation of a weakness could have varying impacts at four different "layers":
- System - The entity has access to, or control of, a system or physical host.
- Application - The entity has access to an affected application.
- Network - The entity has access to/from the network.
- Enterprise - The entity has access to a critical piece of enterprise infrastructure, such as a router, DNS, etc.
The user then evaluates all possible combinations of Technical Impact and Impact Layer (32 possibilities as of CWSS 0.8) and captures the
analysis within the Technical Impact Scorecard, which contains the
following information:
|
Impact
|
The kind of Technical Impact under consideration.
|
Layer
|
The layer at which the Technical Impact could reside. Four impact
layers are defined: System, Application, Network, and Enterprise.
These layers are used by the Required Privilege Layer and the Acquired
Privilege Layer factors in CWSS.
|
Importance
|
A value between 0 and 10 that quantifies the impact of any weakness
that can be exploited to have the given Impact at the specified Layer.
Also referred to as a "Subscore."
|
Notes
|
Explanations and rationales for the score, describing the associated
business impact if the given weakness could be successfully exploited.
|
More information is available — Please edit the custom filter or select a different filter.
|
