Threat Severity Assessment

SUMMARY

The Symantec Security Response Threat Severity Assessment evaluates computer threats (viruses, worms, Trojan horses, and macros) and classifies them into clearly defined categories of risk for computer users. There are three major threat components that are analyzed to determine the severity rating:

• The extent to which a malicious program is "in-the-wild"
• The damage that a malicious program causes if encountered
• The rate at which a malicious program spreads (distribution)

Based on an evaluation of its subcomponents, each category is rated as High, Medium, or Low risk. The overall severity measure, which is drawn from various combinations of risks, falls into one of five categories, with Category 1 (or CAT 1) being the least severe, and Category 5 (or CAT 5) the most severe.

• Section 1, Threat metrics, describes each threat component.
• Section 2, Overall risk assessment measure, lists the combinations of components that result in the overall risk assessment measure.

Section 1: Threat metrics
1.1 Wild

The wild component measures the extent to which a virus is already spreading among computer users. Information in this metric includes:
• Number of independent sites infected
• Number of computers infected
• Geographic distribution of the infection
• Ability of current technology to combat the threat
• Virus complexity

Classification guidelines:
• High: 1,000 computers or 10 infected sites or 5 countries
• Medium: 50-999 computers or 2 infected sites/countries (WildList)
  
  NOTE: WildList refers to threats listed on http://www.wildlist.org/
  
• Low: Anything else

1.2 Damage

The damage component measures the amount of damage that a given infection could inflict. Information in this metric includes:
• Triggered events
• Clogged email servers
• Deleted or modified files
• Release of confidential information
• Performance degradation
• Bug-ridden routines that cause unintended loss of productivity
• Compromised security settings
• Ease of fixing damage

Classification guidelines:
• High: File destruction or modification, very high server traffic, large-scale nonrepairable damage, large security breaches, destructive triggers
• Medium: Noncritical settings altered, buggy routines, easily repairable damage, nondestructive triggers
• Low: No intentionally destructive behavior

1.3. Distribution

The distribution component measures how quickly a program spreads itself. Information in this metric includes:
• Large-scale email attack (worm)
• Executable code attack (virus)
• Spreads only through download or copy (Trojan horse)
• Network drive infection capability
• Difficulty to remove/repair

Classification guidelines:
• High: Worms, network-aware executables, uncontainable threats (due to high virus complexity or low antivirus ability to combat)
• Medium: Most viruses
• Low: Most Trojan horses

Section 2: Overall risk assessment measure
The overall risk assessment measure unifies the three components above into a measure of risk to computer users. There are five severity threat categories.
Category 5: Very Severe
Highly dangerous threat type, very difficult to contain. All computers should download the latest virus definitions immediately and execute a scan. Email servers may need to come down. All three threat metrics must be High.

• Wild: High
• Damage: High
• Distribution: High

Category 4: Severe
Dangerous threat type, difficult to contain. The latest virus definitions should be immediately downloaded and deployed.

• Wild: High
• Damage or Distribution: High

Category 3: Moderate
Threat type characterized either as highly wild (but reasonably harmless and containable) or potentially dangerous (and uncontainable) if released into the wild.

• Wild: High
  or
• Damage and Distribution: High

Category 2: Low
Threat type characterized either as low or moderate wild threat (but reasonably harmless and containable) or nonwild threat characterized by an unusual damage or spread routine, or perhaps by some feature of the virus that makes headlines in the news.

• Wild: Low or Moderate
• Damage: High
  or
• Distribution: High

Category 1: Very Low
Poses little threat to users. Rarely even makes headlines. No reports in the wild.

• Wild: Low
  or
• Damage: Low
  or
• Distribution: Low