Jump to: navigation, search

CWSS : Common Wireless Security Scoring

Once the security risks are identified it must be assigned a risk rating based on a set of objective parameters. The standarization of risk allocation mechanism allows multiple people to classified in the same way the security or insecurity of wireless infrastructure.

OWISAM proposes to use a risk classification system compatible with CVSS [1], the de facto standard today. CVSS uses the following to sign the risk of vulnerability:

Base metrics:: "Exploitability Metrics" e "Impact Metrics"

Environment metrics:: "General Modifiers" e "Impact Subscore Modifiers"

Temporal metrics:: Temporal Score Metrics

The proposal is to modify two elements of the based metrics:

- Related exploit range (AccessVector): This element is modified by "Network Coverage" (NetworkCoverage): The values ​​can be high, medium, low.

Low: Need to be in a location close to the access point

Medium: Outside the perimeter of the building / local / office.

High: visibility with directional antenna.

Attack complexity (AccessComplexity): This element is modified to "Login Credentials" (Credentials) with values: Very complex, complex, weak, predictable.

Very complex: There isn't technical feasibility to obtain, guess or decrypt the key long term.

Complex: There is a possibility that the key can be guess or crack in the medium term.

Weak: A attack oriented guessing or decryption of passwords might get in short term.

Predictable: The password does not exist, is trivial, or can guess based on other operating parameters.

This risk classification system, compatible with CVSS, has been called CWSS (Common Wireless Security Scoring)

Personal tools

In other languages