diff --git a/docs/_includes/default_system_exposure_values.md b/docs/_includes/default_system_exposure_values.md new file mode 100644 index 00000000..248419c7 --- /dev/null +++ b/docs/_includes/default_system_exposure_values.md @@ -0,0 +1,5 @@ +!!! tip "Default System Exposure Values" + + If the deployer does not know their exposure, that + means they do not know where the devices are or how they are controlled, so they should assume + [*System Exposure*](../reference/decision_points/system_exposure.md) is [*open*](../reference/decision_points/system_exposure.md). diff --git a/docs/howto/bootstrap/collect.md b/docs/howto/bootstrap/collect.md index cc28d073..ed84ddbc 100644 --- a/docs/howto/bootstrap/collect.md +++ b/docs/howto/bootstrap/collect.md @@ -99,11 +99,7 @@ we can suggest something like defaults for some decision points. [*Exploitation*](../../reference/decision_points/exploitation.md) needs no special default; if adequate searches are made for exploit code and none is found, the answer is [*none*](../../reference/decision_points/exploitation.md). -!!! tip "Default System Exposure Values" - - If the deployer does not know their exposure, that - means they do not know where the devices are or how they are controlled, so they should assume - [*System Exposure*](../../reference/decision_points/system_exposure.md) is [*open*](../../reference/decision_points/system_exposure.md). +{% include-markdown "../../_includes/default_system_exposure_values.md" %} !!! tip "Default Automatable Values" diff --git a/docs/howto/gathering_info/system_exposure.md b/docs/howto/gathering_info/system_exposure.md index baf7a76c..ebc8f935 100644 --- a/docs/howto/gathering_info/system_exposure.md +++ b/docs/howto/gathering_info/system_exposure.md @@ -7,6 +7,8 @@ from ssvc.doc_helpers import example_block print(example_block(LATEST)) ``` +{% include-markdown "../../_includes/default_system_exposure_values.md" %} + *System Exposure* is primarily used by [Deployers](../../deployer_tree), so the question is about whether some specific system is in fact exposed, not a hypothetical or aggregate question about systems of that type. Therefore, it generally has a concrete answer, even though it may vary from vulnerable component to vulnerable component, based on their respective configurations. diff --git a/docs/reference/decision_points/system_exposure.md b/docs/reference/decision_points/system_exposure.md index 32742d87..7fcd75d2 100644 --- a/docs/reference/decision_points/system_exposure.md +++ b/docs/reference/decision_points/system_exposure.md @@ -11,6 +11,8 @@ print(example_block(LATEST)) See this [HowTo](../../howto/gathering_info/system_exposure.md) for advice on gathering information about the System Exposure decision point. +{% include-markdown "../../_includes/default_system_exposure_values.md" %} + Measuring the attack surface precisely is difficult, and we do not propose to perfectly delineate between small and controlled access. Exposure should be judged against the system in its deployed context, which may differ from how it is commonly expected to be deployed. For example, the exposure of a device on a vehicle's CAN bus will vary depending on the presence of a cellular telemetry device on the same bus.