Measuring the security risks to which a system is subject is a notoriously difficult proposition. Relative strengths of different kinds of protection mechanisms are hard to evaluate, and much depends upon hard to measure variables such as motivation of intruders, the amount of resources an intruder has available, the kinds of uses to which the system will be put, and the type of environment in which the system operates. The problem becomes even more difficult when the system is one with a known vulnerability. Here the risk of using the system must be decided upon by weighing the difficulty of exploiting the vulnerability, the intruder's resources, the payoff to the intruder of exploiting the vulnerability, and the presence of other vulnerabilities in the system that may or may not be easier to exploit.
Although the risk of using systems with known vulnerabilities is hard to quantify, it is a problem that faces us daily. Even when a system is itself secure, it may have to interact with systems with known vulnerabilities. What risk is involved in allowing these systems access to its resources, and what services can it allow these systems to perform for it with a reasonable degree of assurance that it is not courting disaster?
Although it may not be possible to quantify exactly the degree of risk posed by a vulnerability, it is still possible to develop techniques that allow one to compare risks posed by different vulnerabilities. One such technique is to outline the procedure that an intruder would have to go through in order to take advantage of the vulnerability. If the procedure can be broken down into a set of well-defined components, then it may be possible to evaluate, or at least compare, the difficulty of executing each component and the payoffs gained by executing it. This understanding may lead us to a greater understanding of the difficulty and payoffs involved in the attack as a whole.
In our approach, an attack is divided into a number of stages, each of which consists of a sequence of atomic events. One stage may facilitate another in the sense that the second stage cannot complete until the first does. We also develop a taxonomy of stages in terms of various features that may affect the difficulty of completing a stage successfully. The difficulty of successfully completing a stage, and the likelyhood of its being attempted, is estimated on the basis of its place in the taxonomy. This can be used to give an estimate or rough idea of the difficulty of that attack as a whole. Finally, we develop a graphical means of representing attacks where the stages and the relationships between them are emphasized. Our intent is to give a simple easy-to-read representation that can be used to give help in comparing the severity and likelyhood of different attacks, even when exact numeric figures are absent.