Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Proposed New Standard: Common Privacy Vulnerability Scoring System (CPVSS) Jonathan Fox, Privacy Office/PDIT Harold A. Toomey, PSG/ISecG Jason M. Fung,

Published byFranklin Garrett Modified over 5 years ago

Similar presentations

Presentation on theme: "A Proposed New Standard: Common Privacy Vulnerability Scoring System (CPVSS) Jonathan Fox, Privacy Office/PDIT Harold A. Toomey, PSG/ISecG Jason M. Fung,"— Presentation transcript:

1 A Proposed New Standard: Common Privacy Vulnerability Scoring System (CPVSS) Jonathan Fox, Privacy Office/PDIT Harold A. Toomey, PSG/ISecG Jason M. Fung, SeCoE/PEG Sumanth Naropanth, NDG

2 Agenda Introduction What is CPVSS? Why is the CPVSS important?
CPVSS Overview Example Incident Example Incident Scored with CVSS What would be the Base CPVSS score for the example? Lessons Learned

3 Introduction There is an industry standard called Common Vulnerability Scoring Systems (CVSS) to score the severity of vulnerabilities in products There is no standard for scoring the severity of privacy issues created by security vulnerabilities Common Privacy Vulnerabilities Scoring System (CPVSS) is a newly proposed standard to address this gap

4 What is CPVSS? Sensitivity Exploitability Impact Scope
The CPVSS (based on CVSS) rates privacy vulnerabilities (or incidents) occurring as a result of security vulnerabilities based on a diverse set of factors, such as: Sensitivity Exploitability Impact Scope Redemption level Report confidence Environment

5 Why is the CPVSS important?
Not all privacy risks due to security vulnerabilities are equal or warrant the same level of attention Not every nail needs a sledge hammer Privacy issues are increasingly receiving executive management focus and attention Product Incident Response teams need to have a pragmatic methodology to rate and report privacy risk and remediation efforts The same methodology can be used by product development team to prioritize privacy issues identified during product development lifecycle Consistency support efficiency

6 CPVSS Overview

7 Example Incident A cross site scripting vulnerability was reported in a wearable product: This vulnerability could be leveraged via an exploit to get complete read and write access to a victim user’s cloud account including user profile details (full name, postal address, ), social circles (friends’ names, social comments), activity information, GPS data and device details. The victim only receives an innocuous looking “Friend Request”. The exploit is run as soon as the victim logs in to his cloud account using a web browser. The vulnerability could easily be used to target specific individuals (similar to spear-phishing attacks) to gain access to their personal information without requiring any user interaction. If the vulnerability is exploited publicly, the loss of user data would have qualified as a privacy incident due to the nature of the data present in the cloud based accounts.

8 Example Incident Scored with CVSS

9 What would be the Base CPVSS score for the example?

10 What would be the Base CPVSS score for the example?

11 What would be the Base CPVSS score for the example?

12 What would be the Base CPVSS score for the example?

13 Lessons Learned Privacy vulnerabilities introduced or caused by security vulnerabilities can be calibrated, measured, and prioritized in a logical and objective way This will support efficient and effective disposition and remediation efforts There is overlap between how security and privacy identify and view risk There are also critical aspects of privacy risk that are missed if the viewfinder just focuses on security measurements and calibrations Informal external exposure of CPVSS has been very positive with the recurring statement that something like this is really needed by the industry We plan to preview CPVSS more broadly within Intel to solicit inputs, and then introduce it to Mitre CVSS SIG

14 Interested in helping with the creation of the CPVSS?
Contact one of us:

15

16 Legal Disclaimer http://intel.com/software/products
INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS”. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO THIS INFORMATION INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. Performance tests and ratings are measured using specific computer systems and/or components and reflect the approximate performance of Intel products as measured by those tests. Any difference in system hardware or software design or configuration may affect actual performance. Buyers should consult other sources of information to evaluate the performance of systems or components they are considering purchasing. For more information on performance tests and on the performance of Intel products, reference Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and other countries. *Other names and brands may be claimed as the property of others. Copyright © Intel Corporation.

Download ppt "A Proposed New Standard: Common Privacy Vulnerability Scoring System (CPVSS) Jonathan Fox, Privacy Office/PDIT Harold A. Toomey, PSG/ISecG Jason M. Fung,"

Similar presentations

Information Security Domains Computer Operations Security By: Shafi Alassmi Instructor: Francis G. Date: Sep 22, 2010.

Information Security Domains Computer Operations Security By: Shafi Alassmi Instructor: Francis G. Date: Sep 22, 2010.
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
11 Auto Regression Analysis Shuang He Intel Linux Graphics Validation Team Open Source Technology Center 2011-08-16.

11 Auto Regression Analysis Shuang He Intel Linux Graphics Validation Team Open Source Technology Center
Topics Changes Risk Assessments Cloud Data Security / Data Protection Licenses, Copies, Instances Limits of Liability and Indemnification Requests for.

Topics Changes Risk Assessments Cloud Data Security / Data Protection Licenses, Copies, Instances Limits of Liability and Indemnification Requests for.
Software & Services Group Developer Products Division Copyright© 2013, Intel Corporation. All rights reserved. *Other brands and names are the property.

Software & Services Group Developer Products Division Copyright© 2013, Intel Corporation. All rights reserved. *Other brands and names are the property.
Research Development for Android Coopman Tom. What is Android?  Smartphone operating system  Google  Popular  ‘Easy to develop’  Open-Source  Linux.

Research Development for Android Coopman Tom. What is Android?  Smartphone operating system  Google  Popular  ‘Easy to develop’  Open-Source  Linux.
Intel® Education Fluid Math™

Intel® Education Fluid Math™
HEVC Commentary and a call for local temporal distortion metrics Mark Buxton - Intel Corporation.

HEVC Commentary and a call for local temporal distortion metrics Mark Buxton - Intel Corporation.
A Move Toward Agile APM: Application Performance Management Frank Ober, Performance Engineer June 2012.

A Move Toward Agile APM: Application Performance Management Frank Ober, Performance Engineer June 2012.
Intel® Education Read With Me Intel Solutions Summit 2015, Dallas, TX.

Intel® Education Read With Me Intel Solutions Summit 2015, Dallas, TX.
Intel® Education Learning in Context: Science Journal Intel Solutions Summit 2015, Dallas, TX.

Intel® Education Learning in Context: Science Journal Intel Solutions Summit 2015, Dallas, TX.
Intel® Solid-State Drive Data Center TCO Calculator The data in this presentation is based on your analysis and business assumptions when using the Intel®

Intel® Solid-State Drive Data Center TCO Calculator The data in this presentation is based on your analysis and business assumptions when using the Intel®
Orion Granatir Omar Rodriguez GDC 3/12/10 Don’t Dread Threads.

Orion Granatir Omar Rodriguez GDC 3/12/10 Don’t Dread Threads.
Evaluation of a DAG with Intel® CnC Mark Hampton Software and Services Group CnC MIT July 27, 2010.

Evaluation of a DAG with Intel® CnC Mark Hampton Software and Services Group CnC MIT July 27, 2010.
IBIS-AMI and Direction Indication February 17, 2015 Updated Feb. 20, 2015 Michael Mirmak.

IBIS-AMI and Direction Indication February 17, 2015 Updated Feb. 20, 2015 Michael Mirmak.
Conditions and Terms of Use

Conditions and Terms of Use
© 2012 Microsoft Corporation. All rights reserved.

© 2012 Microsoft Corporation. All rights reserved.
K-12 Blueprint Overview March 2015. An Overview www.k12blueprint.com www.k12blueprint.com The K-12 Blueprint offers resources for education leaders involved.

K-12 Blueprint Overview March An Overview The K-12 Blueprint offers resources for education leaders involved.
Intel® Education Learning in Context: Concept Mapping Intel Solutions Summit 2015, Dallas, TX.

Intel® Education Learning in Context: Concept Mapping Intel Solutions Summit 2015, Dallas, TX.
Copyright 2011, Atmel December, 2011 Atmel ARM-based Flash Microcontrollers 1 1.

Copyright 2011, Atmel December, 2011 Atmel ARM-based Flash Microcontrollers 1 1.

Similar presentations

Ads by Google