CWSS : Common Wireless Security Scoring
Once the security risks are identified it must be assigned a risk rating based on a set of objective parameters. The standarization of risk allocation mechanism allows multiple people to classified in the same way the security or insecurity of wireless infrastructure.
OWISAM proposes to use a risk classification system compatible with CVSS , the de facto standard today. CVSS uses the following to sign the risk of vulnerability:
Base metrics:: "Exploitability Metrics" e "Impact Metrics"
Environment metrics:: "General Modifiers" e "Impact Subscore Modifiers"
Temporal metrics:: Temporal Score Metrics
The proposal is to modify two elements of the based metrics:
- Related exploit range (AccessVector): This element is modified by "Network Coverage" (NetworkCoverage): The values can be high, medium, low.
Low: Need to be in a location close to the access point
Medium: Outside the perimeter of the building / local / office.
High: visibility with directional antenna.
Attack complexity (AccessComplexity): This element is modified to "Login Credentials" (Credentials) with values: Very complex, complex, weak, predictable.
Very complex: There isn't technical feasibility to obtain, guess or decrypt the key long term.
Complex: There is a possibility that the key can be guess or crack in the medium term.
Weak: A attack oriented guessing or decryption of passwords might get in short term.
Predictable: The password does not exist, is trivial, or can guess based on other operating parameters.
This risk classification system, compatible with CVSS, has been called CWSS (Common Wireless Security Scoring)