|
The Symantec Security Response Threat Severity Assessment evaluates computer threats (viruses, worms, Trojan horses and macros) and
classifies them into clearly defined categories of risk for computer
users. There are three major threat components that are analyzed to
determine the severity rating:
- The extent to which a malicious program is "in-the-wild".
- The damage that a malicious program causes if encountered.
- The rate at which a malicious program spreads.
Based on an evaluation of its sub-components, each category is
rated as High, Medium, or Low risk. The overall severity measure, which is
drawn from various combinations of risks, falls into one of 5 categories,
with Category 5 (or CAT 5) being the most severe, and Category 1 (or
CAT 1) the least severe. Section 1 describes each threat component.
Section 2 lists the combinations of components that result in the overall
risk assessment measure.
Section 1: Threat Metrics
1.1 Wild
The wild component measures the extent to which a virus is already
spreading among computer users. Information in this metric includes:
- Number of independent sites infected
- Number of computers infected
- Geographic distribution of infection
- Ability of current technology to combat threat
- Virus complexity
Classification guidelines:
- High: 1,000 machines or 10 infected sites or 5 countries
- Medium: 50-999 machines or 2 infected sites/countries (i.e.,
WildList)
- Low: Anything else
1.2 Damage
The damage component measures the amount of damage that a given
infection could inflict. Information in this metric includes:
- Triggered events
- Clogged email servers
- Deleted/modified files
- Release of confidential information
- Performance degradation
- Buggy routines that cause unintended loss of productivity
- Compromised security settings
- Ease of fixing damage
Classification guidelines:
- High: File destruction/modification, very high server traffic,
large-scale non-repairable damage, large security breaches, destructive
triggers
- Medium: Non-critical settings altered, buggy routines, easily
repairable damage, non-destructive triggers
- Low: No intentionally destructive behavior
1.3. Distribution
The distribution component measures how quickly a program spreads itself.
Information in this metric includes:
- Large-scale email attack (worm)
- Executable code attack (virus)
- spreads only through download or copy (Trojan horse)
- Network drive infection capability
- Difficulty to remove/repair
Classification guidelines:
- High: Worms, network-aware executables, uncontainable threats (due
to high virus complexity or low AV ability to combat)
- Medium: Most viruses
- Low: Most Trojan horses
Section 2: Overall risk assessment measure
The overall risk assessment measure unifies the three components above into a
measure of risk to computer users. There are five severity threat
categories.
Category 5 - Very Severe
Highly dangerous threat type, very difficult to contain. All machines
should download the latest virus definitions immediately and execute a
scan. Email servers may need to come down. All three threat metrics must be High.
- Wild: High
- Damage: High
- Distribution: High
Category 4 - Severe
Dangerous threat type, difficult to contain. The latest virus
definitions should be downloaded immediately and deployed.
- Wild: High
- Damage or Distribution: High
Category 3 - Moderate
Threat type characterized either as highly wild (but reasonably
harmless and containable) or potentially dangerous (and uncontainable) if
released into the wild.
- Wild: High
or
- Damage: High and Distribution: High
Category 2 - Low
Threat type characterized either as low or moderate wild threat (but reasonably harmless and containable) or non-wild threat characterized by an unusual damage or spread routine, or perhaps by some feature of the virus that makes
headlines in the news.
- Damage: High
or
- Distribution: High
or
- Wild: Low or Moderate
Category 1 - Very Low
Poses little threat to users. Rarely even makes headlines. No reports
in the wild.
- Wild: Low
- Damage or Distribution: Low
| 
