Export (0) Print
Expand All
3 out of 6 rated this helpful - Rate this topic

PSS Security Team Security Alert Severity Matrix

Published: May 19, 2003

The PSS Security Team will be issuing alerts about viruses and other technological attacks that affect Microsoft software and our customers. The PSS Security Team has defined a severity rating system that classifies technological attacks, such as viruses and worms, as they relate to Microsoft software and our customers. We have classified the attacks into three types for ease of categorization and to align ourselves with the Severity Rating System that is used by the Microsoft Security Response Center.

On This Page

About the Rating System
Definitions of Characteristics of Attack
Virus Alert Severity Ratings

About the Rating System

In establishing this rating system we took into account a number of details about how an attack infects and affects a computer and what makes a particular attack more damaging to users than another attack. The PSS Security Team found that the most damaging and disruptive attacks were ones that:

  • Affected user’s computer by using a number of different methods

  • Destroyed data and/or significantly disrupted service

  • Exploited vulnerabilities in software, its functional design, or its feature sets

Based on these factors, and the analysis of major technological attacks, we have adopted the following classification system. First, the six characteristics that we look for in an attack as they relate to Microsoft software and our customers are defined. We also indicate and define the valid entries for each characteristic of the matrix. Finally, we provide the matrix that defines what characteristics an attack (such as a virus) must meet to be defined at a given criteria.


Definitions of Characteristics of Attack

Microsoft Product Vulnerability:

Valid Entries: Yes/No/Patch Not Available
Yes: The attack exploits a Microsoft product vulnerability for which a patch is available.
No: The attack does not exploit a Microsoft product vulnerability.
Patch Not Available: The attack exploits a Microsoft vulnerability for which a patch is not yet available or for which there is only a workaround.

Vectors of Attack

Valid Entries: Any whole number this number will identify the number of attack/infection vectors for the identified attack. Infection and attack vectors will normally refer to things such as e-mail, port 80, network file shares, and so on.

New Vector of Attack

Valid Entries: Yes/No
Yes: The attack is using a new, or previously unknown, vector of attack. This could also be chosen for an attack that uses a vector in a new way.
No: The attack uses known and/or previously-preventable vectors of attack. Previously-preventable vectors of attack could include e-mail vectors that are now protected and preventable, such as vectors that are protected by the Outlook E-mail Security Update. Previously-preventable vectors of attack could also include any well-known attack method that is commonly used by attack and virus writers.

Distribution Potential:

Valid Entries: High/Medium/Low
High: Distribution potential for any given target audience such as consumer or enterprises is high. This means that the attack can spread rapidly and quickly with a potentially large number of attack victims.
Medium: Distribution potential for any given target audience such as consumer or enterprises is medium. This means the attack can spread rapidly, but necessary safeguards may already be in place, or the potential attack victim audience is segmented, therefore containing the spread.
Low: Distribution potential for any given target audience such as consumer or enterprises is low. This means that the attack is not expected to spread rapidly, nor have a significant level of targets, possibly because of poor attack design, limited infection vectors, or other issues.

Unique Data Destruction:

Valid Entries: Yes/No
Yes: Data that is unique will be destroyed. Examples include reformatting a whole drive, erasing information that is personal and is not related to a program or executable file (.exe) that can be reinstalled.
No: Data is not destroyed or data that is not unique may be destroyed, for example, limited program files that can be reinstalled.

Significant Service Disruption:

Valid Entries: Yes/No
Yes: The attack possesses the ability to significantly cause a service disruption to any given service. This is usually network related, for example, mail delivery slowdowns and network-bandwidth consumption. While most virus attacks will cause some service disruption, this field will be used for those attacks that, in our estimation, cause significant disruptions to critical services.
No: The attack does not cause a significant service disruption. The virus may still cause a service disruption.


Virus Alert Severity Ratings

CRITICAL SECURITY ALERT:

A critical reactive alert will be issued when an attack meets the following characteristics:

Characteristic

Assessment

Microsoft Product Vulnerability

Yes/Patch Not Available(*)

Vectors of Infection

Vectors >= 2

New Vector of Infection

Yes/No

Distribution Potential

High

Unique Data Destruction

Yes/No

Significant Service Disruption

Yes


* Any attack that uses a Microsoft product vulnerability for which a patch has not been released will be Critical Reactive regardless of other entries in the matrix.

MODERATE SECURITY ALERT:

A moderate reactive alert will be issued when an attack meets the following characteristics:

Characteristic

Assessment

Microsoft Product Vulnerability

Yes/No

Vectors of Infection New

Vectors <=2

Vector of Infection

Yes/No

Distribution Potential

Medium/High

Unique Data Destruction

No

Significant Service Disruption

No


LOW SECURITY ALERT:

A low reactive alert will be issued when an attack meets the following characteristics:

Characteristic

Assessment

Microsoft Product Vulnerability

No

Vectors of Infection

Vectors = 1

New Vector of Infection

No

Distribution Potential

Low

Unique Data Destruction

No

Significant Service Disruption

No


For characteristics that contain more than one value, either value can be present. For characteristics that contain only one value, that characteristic must be met in order for the attack to be classified in that severity. Also, the characteristics must all be met for a given severity.

Because of the negligible impact of attacks that fit into our Low severity classification, we will not issue any alerts or communications on these attacks.For attacks of Moderate or Critical severity, we will issue alerts to our customers by using a number of methods that will be announced and enhanced over the next few months.

While we have attempted to craft an adequate matrix to alert and inform our customers about attacks, these technological attacks continue to evolve and change. The PSS Security Team will be constantly refining and reviewing these processes and procedures we have set up to respond to these attacks. We will keep you informed of these evolutions in our processes as they unfold, and we look forward to working with all of you, our customers, to help keep all of your computers protected and secure.


Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.