Title.

Five level security model introduction and
Console Database update.

Introduction

The 2007/Q4 edition of Assuria Foresight indicated that Assuria would be making changes to Assuria Auditor in order to extend the risk levels supported.

Five level security risk model

Assuria Auditor users have given feedback to Assuria regarding the current 3 level risk level model used within Assuria Auditor, that is:

·                      HIGH

·                      MEDIUM

·                      LOW

The new risk level scheme will be migrated to a new five level model, that is:

·                      CRITICAL

·                      HIGH

·                      MEDIUM

·                      LOW

·                      INFORMATION

The 5 Level Risk model is in addition and complementary to the recently introduced CVSS scoring systems – see Assuria Bulletin 46 AutoUpdate 65 from August 2007

The new Risk Levels will be introduced along with a new reporting subsystem in Q1 2008.  A further Assuria Bulletin will be published prior to the Introduction of the new levels.

Impact of change

The change to the 5 level model, when it occurs, will have no effect on most of our customers, they will see vulnerabilities being reported and analysed by the new set of five risk levels, rather than the current three risk levels.

‘Downstream’ applications

However some customers and third parties have written their own ‘down-stream’ applications which further process Assuria Auditor vulnerability data, and these customers may need to make matching changes to their applications in order to deal with the new severity levels.

Technical Note 13

Assuria have produced Technical Note 13, the purpose of Technical note 13 is to explain to these customers and third parties the changes that have been made, and the choices that they can make. If you are not using or have not written any down-stream code that analyses or otherwise processes vulnerability data, you do not need read Technical Note 13.