A Proposed New Standard: Common Privacy Vulnerability Scoring System (CPVSS) Jonathan Fox, Privacy Office/PDIT Harold A. Toomey, PSG/ISecG Jason M. Fung,

Slides:

Advertisements

Similar presentations

Information Security Domains Computer Operations Security By: Shafi Alassmi Instructor: Francis G. Date: Sep 22, 2010.

Advertisements

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

11 Auto Regression Analysis Shuang He Intel Linux Graphics Validation Team Open Source Technology Center

Topics Changes Risk Assessments Cloud Data Security / Data Protection Licenses, Copies, Instances Limits of Liability and Indemnification Requests for.

Software & Services Group Developer Products Division Copyright© 2013, Intel Corporation. All rights reserved. *Other brands and names are the property.

Research Development for Android Coopman Tom. What is Android?  Smartphone operating system  Google  Popular  ‘Easy to develop’  Open-Source  Linux.

Intel® Education Fluid Math™

HEVC Commentary and a call for local temporal distortion metrics Mark Buxton - Intel Corporation.

A Move Toward Agile APM: Application Performance Management Frank Ober, Performance Engineer June 2012.

Intel® Education Read With Me Intel Solutions Summit 2015, Dallas, TX.

Intel® Education Learning in Context: Science Journal Intel Solutions Summit 2015, Dallas, TX.

Intel® Solid-State Drive Data Center TCO Calculator The data in this presentation is based on your analysis and business assumptions when using the Intel®

Orion Granatir Omar Rodriguez GDC 3/12/10 Don’t Dread Threads.

Evaluation of a DAG with Intel® CnC Mark Hampton Software and Services Group CnC MIT July 27, 2010.

IBIS-AMI and Direction Indication February 17, 2015 Updated Feb. 20, 2015 Michael Mirmak.

Conditions and Terms of Use

© 2012 Microsoft Corporation. All rights reserved.

K-12 Blueprint Overview March An Overview The K-12 Blueprint offers resources for education leaders involved.

Intel® Education Learning in Context: Concept Mapping Intel Solutions Summit 2015, Dallas, TX.

Copyright 2011, Atmel December, 2011 Atmel ARM-based Flash Microcontrollers 1 1.

Enterprise Platforms & Services Division (EPSD) JBOD Update October, 2012 Intel Confidential Copyright © 2012, Intel Corporation. All rights reserved.

Intel Confidential – For Use with Customers under NDA Only Revision - 01 Legal Disclaimer INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL®

IBIS-AMI and Direction Decisions

IBIS-AMI and Direction Indication February 17, 2015 Michael Mirmak.

Copyright © 2006 Intel Corporation. WiMAX Wireless Broadband Access: The World Goes Wireless Michael Chen Director of Product & Platform Marketing Group.

Recognizing Potential Parallelism Introduction to Parallel Programming Part 1.

A l a d d i n. c o m eSafe 6 FR2 Product Overview.

The Drive to Improved Performance/watt and Increasing Compute Density Steve Pawlowski Intel Senior Fellow GM, Architecture and Planning CTO, Digital Enterprise.

Copyright© 2011, Intel Corporation. All rights reserved. *Other brands and names are the property of their respective owners. 1 How Does The Intel® Parallel.

Boxed Processor Stocking Plans Server & Mobile Q1’08 Product Available through February’08.

1 XIII: Electronic Resources Managing Trials and Evaluations.

Nomenclature for the OGSA Platform document Fred Maciel.

INTEL CONFIDENTIAL Intel® Smart Connect Technology Remote Wake with WakeMyPC November 2013 – Revision 1.2 CDI/IBP #:

IT Audit and Penetration Testing What’s the difference and why should I care?

1 Designing and using normalization rules Yoel Kortick Senior Librarian, Ex Libris.

SUSE Studio: Building distributions By Cool Person From openSUSE.

Only Use FD.io VPP to Achieve high performance service function chaining Yi Intel.

Connectivity to bank and sample account structure

David Hatten Developer, UrbanCode 17 October 2013

Microsoft FastTrack & FY16 Cloud PBX Adoption Offer

Models for Resources and Management

Defining and using an external search profile with multiple targets for copy cataloging Yoel Kortick Senior Librarian Alma Product Management.

Using Parallelspace TEAM Models to Design and Create Custom Profiles

Resource Management in OGSA

Patron Driven Acquisition (PDA) Demand Driven Acquisition (DDA)

Instructional slide to Partner: REMOVE BEFORE PRESENTING TO CUSTOMER

Copyright What we need to know. ©

OGSA Service Classifications

Welcome to IST e-Lab Entrepreneurship Lab, 3rd Session, 06 November 2017.

Metrics-Focused Analysis of Network Flow Data

Parallelspace PowerPoint Template for ArchiMate® 2.1 version 1.1

Parallelspace PowerPoint Template for ArchiMate® 2.1 version 2.0

How does a Requirements Package Vary from Project to Project?

John Butters Running Tiger Teams

Many-core Software Development Platforms

Designing the Architecture for Grid File System (GFS)

SAM GDPR Assessment <Insert partner logo here>

The Intel Security Group’s Agile SDL Harold A

11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Security Essentials for Small Businesses

12/26/2018 5:07 AM Leap forward with fast, agile & trusted solutions from Intel & Microsoft* Eman Yarlagadda (for Christine McMonigal) Hybrid Cloud – Product.

Ideas for adding FPGA Accelerators to DPDK

Virtio/Vhost Status Quo and Near-term Plan

By Vipin Varghese Application Engineer (NCSD)

IBM Global Technology Services

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems

Expanded CPU resource pool with

Desktop App Assure Service Microsoft Representative Name June 7, 2019

Presentation transcript:

A Proposed New Standard: Common Privacy Vulnerability Scoring System (CPVSS) Jonathan Fox, Privacy Office/PDIT Harold A. Toomey, PSG/ISecG Jason M. Fung, SeCoE/PEG Sumanth Naropanth, NDG

Agenda Introduction What is CPVSS? Why is the CPVSS important? CPVSS Overview Example Incident Example Incident Scored with CVSS What would be the Base CPVSS score for the example? Lessons Learned

Introduction There is an industry standard called Common Vulnerability Scoring Systems (CVSS) to score the severity of vulnerabilities in products There is no standard for scoring the severity of privacy issues created by security vulnerabilities Common Privacy Vulnerabilities Scoring System (CPVSS) is a newly proposed standard to address this gap

What is CPVSS? Sensitivity Exploitability Impact Scope The CPVSS (based on CVSS) rates privacy vulnerabilities (or incidents) occurring as a result of security vulnerabilities based on a diverse set of factors, such as: Sensitivity Exploitability Impact Scope Redemption level Report confidence Environment

Why is the CPVSS important? Not all privacy risks due to security vulnerabilities are equal or warrant the same level of attention Not every nail needs a sledge hammer Privacy issues are increasingly receiving executive management focus and attention Product Incident Response teams need to have a pragmatic methodology to rate and report privacy risk and remediation efforts The same methodology can be used by product development team to prioritize privacy issues identified during product development lifecycle Consistency support efficiency

CPVSS Overview

Example Incident A cross site scripting vulnerability was reported in a wearable product: This vulnerability could be leveraged via an exploit to get complete read and write access to a victim user’s cloud account including user profile details (full name, postal address, email), social circles (friends’ names, social comments), activity information, GPS data and device details. The victim only receives an innocuous looking “Friend Request”. The exploit is run as soon as the victim logs in to his cloud account using a web browser. The vulnerability could easily be used to target specific individuals (similar to spear-phishing attacks) to gain access to their personal information without requiring any user interaction. If the vulnerability is exploited publicly, the loss of user data would have qualified as a privacy incident due to the nature of the data present in the cloud based accounts.

Example Incident Scored with CVSS

What would be the Base CPVSS score for the example?

What would be the Base CPVSS score for the example?

What would be the Base CPVSS score for the example?

What would be the Base CPVSS score for the example?

Lessons Learned Privacy vulnerabilities introduced or caused by security vulnerabilities can be calibrated, measured, and prioritized in a logical and objective way This will support efficient and effective disposition and remediation efforts There is overlap between how security and privacy identify and view risk There are also critical aspects of privacy risk that are missed if the viewfinder just focuses on security measurements and calibrations Informal external exposure of CPVSS has been very positive with the recurring statement that something like this is really needed by the industry We plan to preview CPVSS more broadly within Intel to solicit inputs, and then introduce it to Mitre CVSS SIG

Interested in helping with the creation of the CPVSS? Contact one of us: Jonathan.Fox@Intel.com Harold.A.Toomey@Intel.com Jason.M.Fung@Intel.com Sumanth.Naropanth@Intel.com

Legal Disclaimer http://intel.com/software/products INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS”. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO THIS INFORMATION INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. Performance tests and ratings are measured using specific computer systems and/or components and reflect the approximate performance of Intel products as measured by those tests. Any difference in system hardware or software design or configuration may affect actual performance. Buyers should consult other sources of information to evaluate the performance of systems or components they are considering purchasing. For more information on performance tests and on the performance of Intel products, reference www.intel.com/software/products. Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and other countries. *Other names and brands may be claimed as the property of others. Copyright © 2015. Intel Corporation. http://intel.com/software/products