Gauging the Severity of Software Feature Misuse

NIST Scoring System Assesses Risk of Software Features
Gauging the Severity of Software Feature Misuse

It's a common IT security axiom: no system is ever fully secure. Every system has vulnerabilities.

See Also: OnDemand | Bolstering Australia’s Security Posture with Accelerated ZTNA

To help organizations minimize those vulnerabilities, the National Institute of Standards and Technology has issued a new guide that describes a scoring system information security managers can use to assess the severity of security risks arising from software features.

NIST Interagency Report 7864 - The Common Misuse Scoring System: Metrics for Software Feature Misuse Vulnerabilities - provides a systematic way for organizations to determine the severity of software feature misuse - dangerous or illicit e-mail practices, for example - so enterprises can determine how to handle the problem.

While attention often focuses on software flaws such as system crashes, software features also introduce vulnerabilities. Intentional or accidental misuse of software features has the potential to leak sensitive information, corrupt data or reduce system availability, NIST says.

NIST categorizes software vulnerabilities in three general categories:

  1. Software flaws, such as coding errors that allow security breaches.
  2. Configuration vulnerabilities, which come from setting the software up improperly. That allows program access to data it shouldn't see.
  3. Software feature misuse. Though a more subtle problem, software feature misuse could allow savvy attackers to violate the trust assumptions that are inherent in software features to subvert a system's security.

Guidance co-author Karen Scarfone cites, as an example, malicious users who undermine the security of e-mail software. "Two common problems are social engineering and insider threats," she says.

When users open up a bad e-mail attachment or link, the hackers who sent the e-mail can access the organization's computer network to steal valuable information or bring it down. Malicious users can use e-mail attachments to send out valuable company data or documents to outsiders. Both problems can be very expensive, costing organizations money, exposing valuable data and hurting the company's reputation.

NIST says the Common Misuse Scoring System specification allows risk assessment managers to determine vulnerability's potential affect on the network so they can remediation steps to secure the system. The Common Misuse Scoring System is designed to work with existing scoring systems - Common Vulnerability and Common Configuration - developed by NIST to categorize software flaw vulnerabilities and security configuration issues.

About the Author

Information Security Media Group

Information Security Media Group (ISMG) is the world's largest media company devoted to information security and risk management. Each of its 37 media sites provides relevant education, research and news that is specifically tailored to key vertical sectors including banking, healthcare and the public sector; geographies from North America to Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud. Its yearly global summit series connects senior security professionals with industry thought leaders to find actionable solutions for pressing cybersecurity challenges.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.