Norton Internet Security logo

Threat Severity Assessment

Jan 31, 2012

The Symantec security research centers around the world provide unparalleled analysis of and protection from IT security threats that include malware, security risks, vulnerabilities, and spam.

The Symantec Security Response Threat Severity Assessment evaluates computer threats (viruses, worms, Trojan horses and macros) and classifies them into clearly defined categories of risk for computer users.

There are three major threat components that are analyzed to determine the severity rating:

  1. The extent to which a malicious program is „in-the-wild”.
  2. The damage that a malicious program causes if encountered.
  3. The rate at which a malicious program spreads.

Based on an evaluation of its sub-components, each category is rated as:
  • High risk
  • Medium risk
  • Low risk

The overall severity measure, which is drawn from various combinations of risks, falls into one of 5 categories, with Category 5 (or CAT 5) being the most severe, and Category 1 (or CAT 1) the least severe. Section 1 describes each threat component. Section 2 lists the combinations of components that result in the overall risk assessment measure.

Section 1: Threat Metrics

  1. Wild
    The wild component measures the extent to which a virus is already spreading among computer users. Information in this metric includes:
    • Number of independent sites infected
    • Number of computers infected
    • Geographic distribution of infection
    • Ability of current technology to combat threat
    • Virus complexity
    • References

    Classification guidelines:
    • High: 1,000 machines or 10 infected sites or 5 countries
    • Medium: 50-999 machines or 2 infected sites/countries
    • Low: Anything else


  2. Damage
    The damage component measures the amount of damage that a given infection could inflict. Information in this metric includes:
    • Triggered events
    • Deleted/modified files
    • Release of confidential information
    • Performance degradation
    • Buggy routines that cause unintended loss of productivity
    • Compromised security settings
    • Ease of fixing damage

    Classification guidelines:
    • High: File destruction/modification, very high server traffic, large-scale non-repairable damage, large security breaches, destructive triggers
    • Medium: Non-critical settings altered, buggy routines, easily repairable damage, non-destructive triggers
    • Low: No intentionally destructive behavior


  3. Distribution
    The distribution component measures how quickly a program spreads itself. Information in this metric includes:
    • Large-scale email attack (worm)
    • Executable code attack (virus)
    • spreads only through download or copy (Trojan horse)
    • Network drive infection capability
    • Difficulty to remove/repair

    Classification guidelines:
    • High: Worms, network-aware executables, uncontainable threats (due to high virus complexity or low AV ability to combat)
    • Medium: Most viruses
    • spreads only through download or copy (Trojan horse)
    • Low: Most Trojan horses


Overall risk assessment measure

  1. Category 1 — Very Low
    Poses little threat to users. Rarely even makes headlines. No reports in the wild.
    • Wild: Low
    • Damage or Distribution: Low

  2. Category 2 — Low
    Threat type characterized either as low or moderate wild threat (but reasonably harmless and containable) or non-wild threat characterized by an unusual damage or spread routine, or perhaps by some feature of the virus that makes headlines in the news.
    • Damage: High
    • Wild: Low or Moderate

  3. Category 3 — Moderate
    Threat type characterized either as highly wild (but reasonably harmless and containable) or potentially dangerous (and uncontainable) if released into the wild.
    • Wild: High
    • Damage: High and Distribution: High

  4. Category 4 — Severe
    Dangerous threat type, difficult to contain. The latest virus definitions should be downloaded immediately and deployed.
    • Wild: High
    • Damage or Distribution: High

  5. Category 5 — Very Severe
    The overall risk assessment measure unifies the three components above into a measure of risk to computer users. There are five severity threat categories.
    • Wild: High
    • Damage: High
    • Distribution: High

0 comments: (+add yours?)

Post a Comment