PSS Security Team Security Alert Severity Matrix
The PSS Security Team will be issuing alerts about viruses and other technological attacks that affect Microsoft software and our customers. The PSS Security Team has defined a severity rating system that classifies technological attacks, such as viruses and worms, as they relate to Microsoft software and our customers. We have classified the attacks into three types for ease of categorization and to align ourselves with the Severity Rating System that is used by the Microsoft Security Response Center.
On This Page
About the Rating System
Definitions of Characteristics of Attack
Virus Alert Severity Ratings
About the Rating System
In establishing this rating system we took into account a number of details about how an attack infects and affects a computer and what makes a particular attack more damaging to users than another attack. The PSS Security Team found that the most damaging and disruptive attacks were ones that:
Affected user’s computer by using a number of different methods
Destroyed data and/or significantly disrupted service
Exploited vulnerabilities in software, its functional design, or its feature sets
Based on these factors, and the analysis of major technological attacks, we have adopted the following classification system. First, the six characteristics that we look for in an attack as they relate to Microsoft software and our customers are defined. We also indicate and define the valid entries for each characteristic of the matrix. Finally, we provide the matrix that defines what characteristics an attack (such as a virus) must meet to be defined at a given criteria.
Definitions of Characteristics of Attack
Microsoft Product Vulnerability:
Valid Entries: Yes/No/Patch Not Available
Yes: The attack exploits a Microsoft product vulnerability for which a patch is available.
No: The attack does not exploit a Microsoft product vulnerability.
Patch Not Available: The attack exploits a Microsoft vulnerability for which a patch is not yet available or for which there is only a workaround.
Vectors of Attack
Valid Entries: Any whole number this number will identify the number of attack/infection vectors for the identified attack. Infection and attack vectors will normally refer to things such as e-mail, port 80, network file shares, and so on.
New Vector of Attack
Valid Entries: Yes/No
Yes: The attack is using a new, or previously unknown, vector of attack. This could also be chosen for an attack that uses a vector in a new way.
No: The attack uses known and/or previously-preventable vectors of attack. Previously-preventable vectors of attack could include e-mail vectors that are now protected and preventable, such as vectors that are protected by the Outlook E-mail Security Update. Previously-preventable vectors of attack could also include any well-known attack method that is commonly used by attack and virus writers.
Distribution Potential:
Valid Entries: High/Medium/Low
High: Distribution potential for any given target audience such as consumer or enterprises is high. This means that the attack can spread rapidly and quickly with a potentially large number of attack victims.
Medium: Distribution potential for any given target audience such as consumer or enterprises is medium. This means the attack can spread rapidly, but necessary safeguards may already be in place, or the potential attack victim audience is segmented, therefore containing the spread.
Low: Distribution potential for any given target audience such as consumer or enterprises is low. This means that the attack is not expected to spread rapidly, nor have a significant level of targets, possibly because of poor attack design, limited infection vectors, or other issues.
Unique Data Destruction:
Valid Entries: Yes/No
Yes: Data that is unique will be destroyed. Examples include reformatting a whole drive, erasing information that is personal and is not related to a program or executable file (.exe) that can be reinstalled.
No: Data is not destroyed or data that is not unique may be destroyed, for example, limited program files that can be reinstalled.
Significant Service Disruption:
Valid Entries: Yes/No
Yes: The attack possesses the ability to significantly cause a service disruption to any given service. This is usually network related, for example, mail delivery slowdowns and network-bandwidth consumption. While most virus attacks will cause some service disruption, this field will be used for those attacks that, in our estimation, cause significant disruptions to critical services.
No: The attack does not cause a significant service disruption. The virus may still cause a service disruption.
Virus Alert Severity Ratings
CRITICAL SECURITY ALERT:
A critical reactive alert will be issued when an attack meets the following characteristics:
Characteristic |
Assessment |
Microsoft Product Vulnerability |
Yes/Patch Not Available(*) |
Vectors of Infection |
Vectors >= 2 |
New Vector of Infection |
Yes/No |
Distribution Potential |
High |
Unique Data Destruction |
Yes/No |
Significant Service Disruption |
Yes |
* Any attack that uses a Microsoft product vulnerability for which a patch has not been released will be Critical Reactive regardless of other entries in the matrix.
MODERATE SECURITY ALERT:
A moderate reactive alert will be issued when an attack meets the following characteristics:
Characteristic |
Assessment |
Microsoft Product Vulnerability |
Yes/No |
Vectors of Infection New |
Vectors <=2 |
Vector of Infection |
Yes/No |
Distribution Potential |
Medium/High |
Unique Data Destruction |
No |
Significant Service Disruption |
No |
LOW SECURITY ALERT:
A low reactive alert will be issued when an attack meets the following characteristics:
Characteristic |
Assessment |
Microsoft Product Vulnerability |
No |
Vectors of Infection |
Vectors = 1 |
New Vector of Infection |
No |
Distribution Potential |
Low |
Unique Data Destruction |
No |
Significant Service Disruption |
No |
For characteristics that contain more than one value, either value can be present. For characteristics that contain only one value, that characteristic must be met in order for the attack to be classified in that severity. Also, the characteristics must all be met for a given severity.
Because of the negligible impact of attacks that fit into our Low severity classification, we will not issue any alerts or communications on these attacks.For attacks of Moderate or Critical severity, we will issue alerts to our customers by using a number of methods that will be announced and enhanced over the next few months.
While we have attempted to craft an adequate matrix to alert and inform our customers about attacks, these technological attacks continue to evolve and change. The PSS Security Team will be constantly refining and reviewing these processes and procedures we have set up to respond to these attacks. We will keep you informed of these evolutions in our processes as they unfold, and we look forward to working with all of you, our customers, to help keep all of your computers protected and secure.