Severity

Once a vulnerability has been used against a host, this doesn't necessarily mean that the entire computer has been compromised, or that even anything has been compromised on the system at all. All that we are certain about is that security on the host has been lessened to some degree. While constructing the DMW Worldwide Vulnerability Database (containing over 2,000 vulnerabilities at the time of this writing) it was evident early on that common patterns exist when referring to the consequences of a vulnerability, and that consequence rarely had anything to do with method. Looking at the highest level of security concern, I created the following five category taxonomy for describing the severity of a vulnerability:

• Highest level of administrator access

• Read restricted information

• Regular user or limited access account

• Spoofing

• Non-detectability

• Denial of service

The first three outcomes are the most severe, because they allow some form of on-host interaction. Once an intruder has gained access to a host, it opens up a different set of possible ways to heighten access. Once administrator access has been attained, an intruder can embed themselves into the host by modifying software to insure easier access later.

For the other three levels of severity, spoofing causes one entity to assume the identity of another, either a user becoming another user or a computer on a networking appearing as another computer. Non-Detectability (or by passing of logging agents) is a category that defines how one would become invisible on the host. This is typically done in combination with another vulnerability or attack method because in and of itself does not gain any additional access, merely the ability to "get away" with much more than normal. Denial of Service is used primarily to disable processes on the system so that others cannot use it -such as locking up the computer.

Administrator Access

As the goal of most hackers, gaining administrator access grants all access to all features of the computer system. When a hacker attains this level of access, and is detected, most administrators would opt for reloading the entire operating system because of the possible backdoors hackers may have installed. However, attaining this degree of access is not any more difficult than regular access, if not easier because of all the extra software on the computer which grants administrator rights temporarily, or because services that are running on the host run inherently as administrator.

Read Restricted Files

Restricted files could be anything from the ability to acquire a peek at the shadowed password file, to complete access to all of the files on the host. This degree of access does not guarantee that any other level of access can be gained, but the ability to snoop information that can lead to an intruder to this goal is certainly available.

Regular User Access

Regular user access gives the intruder the ability to be a regular user of the host, or to switch to another user of the host. No matter how it is attained, it is a level of access that is not the administrator's and therefore requires additional access to install system-level backdoors. However, once at this stage, it becomes considerably easier to promote access.

Spoofing

Spoofing is the assuming of another's identity. A spoof can lead to a violation of the trust web which can gain access to a remote host. An example of this can be assuming a server's place on the network when it fails, allowing the spoofing server to collect passwords.

Non-Detectability

All methods of masking an intruder's presence are in this category. Although this step does not imply access to the host, it can be used to elevate access without being detected, or be used for other shenanigans commonly done by immature computer users.

Denial of Service

This involves breaking something on a host. Sometimes a process, a service, or even an entire computer can be shut off from denial of service attacks. These attacks are destructive in nature, but don't yield additional access to information - merely prevents other people from using it as well.

As a side note, many vulnerabilities will yield broken services, processes, or even computers during execution. However, the only ones that do not yield higher access fit the denial of services group. This is done to preserve the level of severity of the taxonomy list, although definitely annoying. To qualify to be in the denial of service category, the vulnerability should NOT:

• Leak information from inside of the host

• Allow commands to be executed as a regular user or administrator

• Allow the covering up or loss of log file information

Denial of Service problems are usually corrected by simply readjusting the firewall to be more restrictive (if it's a network attack) or checking the log files of a host to see whom was on at the time of the attack. Because its obvious as to the exact time of these attacks, tracking and preventing denial of service attacks is considerably easier than other levels of severity.