System Exposure
System Exposure (ssvc:EXP:1.0.1)
The Accessible Attack Surface of the Affected System or Service
| Value | Key | Definition |
|---|---|---|
| Small | S | Local service or program; highly controlled network |
| Controlled | C | Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small. |
| Open | O | Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers) |
System Exposure (ssvc:EXP:1.0.1) JSON Example
{
"namespace": "ssvc",
"key": "EXP",
"version": "1.0.1",
"name": "System Exposure",
"definition": "The Accessible Attack Surface of the Affected System or Service",
"schemaVersion": "2.0.0",
"values": [
{
"key": "S",
"name": "Small",
"definition": "Local service or program; highly controlled network"
},
{
"key": "C",
"name": "Controlled",
"definition": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
},
{
"key": "O",
"name": "Open",
"definition": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
}
]
}
Gathering Information about System Exposure
See this HowTo for advice on gathering information about the System Exposure decision point.
Measuring the attack surface precisely is difficult, and we do not propose to perfectly delineate between small and controlled access. Exposure should be judged against the system in its deployed context, which may differ from how it is commonly expected to be deployed. For example, the exposure of a device on a vehicle's CAN bus will vary depending on the presence of a cellular telemetry device on the same bus.
If a vulnerability cannot be remediated, other mitigations may be used. Usually, the effect of these mitigations is to reduce exposure of the vulnerable component. Therefore, a deployer’s response to Exposure may change if such mitigations are put in place. If a mitigation changes exposure and thereby reduces the priority of a vulnerability, that mitigation can be considered a success. Whether that mitigation allows the deployer to defer further action varies according to each case.
Prior Versions
System Exposure (ssvc:EXP:1.0.0)
The Accessible Attack Surface of the Affected System or Service
| Value | Key | Definition |
|---|---|---|
| Small | S | Local service or program; highly controlled network |
| Controlled | C | Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small. |
| Unavoidable | U | Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers) |
System Exposure (ssvc:EXP:1.0.0) JSON Example
{
"namespace": "ssvc",
"key": "EXP",
"version": "1.0.0",
"name": "System Exposure",
"definition": "The Accessible Attack Surface of the Affected System or Service",
"schemaVersion": "2.0.0",
"values": [
{
"key": "S",
"name": "Small",
"definition": "Local service or program; highly controlled network"
},
{
"key": "C",
"name": "Controlled",
"definition": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
},
{
"key": "U",
"name": "Unavoidable",
"definition": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
}
]
}