June 7, 2022
Vulnerability management is critical given the increasing number of cyber-attacks that happens on a frequent base all trying to exploit vulnerabilities in your cyber security defenses. Misjudging the severity of an existing vulnerability can lead to a range of unintended ramifications. The repercussions for an organization may include legal battles, financial losses, and reputational damage. It is essential to have a Next-Gen Vulnerability Management solution to combat today’s modern cyber security challenges. Vulnerabilities in software can be fixed with proper security measures only if their severity and impact are effectively identified to ensure that the most critical severities are priorities above low ones.
CVSS is a standardized method used to determine the severity of vulnerabilities in the software across your technical assets. The vulnerabilities are assigned specific scores that help prioritize remediation efforts. This blog will take you through the essential details about CVSS, including its version history, different metric groups, and scoring.
CVSS stands for Common Vulnerability Scoring System. It’s an open framework that helps understand the characteristics and severity of software vulnerabilities. When suppliers of vulnerability management products use their own in-house developed scoring methods, remediation efforts become difficult. CVSS enables the organization to use the same scoring framework to rate the severity of IT vulnerabilities across a range of software products. CVSS scores help security teams to prioritize the vulnerabilities that need immediate attention.
CVSS was first introduced in 2005 by NIAC. It is now owned and managed by the International Forum for Incident Response and Security Teams (FIRST). The CVSS Special Interest Group (SIG) supported by FIRST was responsible for the initial design of the CVSS framework and the testing and refining of formulas used in new CVSS versions. The CVSS SIG comprises representatives from a broad range of industry sectors.
CVSS has gone through major and minor revisions since its inception. Three CVSS versions have been released to date.
CVSS v1 was released by the US National Infrastructure Advisory Council (NIAP) in 2005. The objective was to create a standard for severity ratings of vulnerabilities in software.
In 2007, CVSS version 2 significantly improved over the first version. It helped reduce inconsistencies, provided additional granularity, and reflected the actual properties of IT vulnerabilities despite the various vulnerability types.
CVSS v3 is a more refined version and the latest version, which is CVSS v3.1, was released in June 2019. It addresses the privileges required to exploit a vulnerability and the opportunities that the hacker can tap into once the vulnerability is exploited.
A CVSS score comprises three sets of metrics, namely base, temporal, and environmental.
The metric base group represents the characteristics of the vulnerability. These characteristics remain the same across user environments. The metric-based group comprises three sub-core elements: exploitability, scope, and impact.
Exploitability metrics deal with the ease and technical means required to exploit a vulnerability. Exploitability consists of four more sub-components: attack vector, attack complexity, privileges required, and user interaction.
Scope refers to the possibility of a vulnerability in one component impacting the other components in the system. Scope score is higher if successfully exploiting one vulnerability enables the attacker to gain access to other system areas.
Impact in base metrics refers to the consequences of an attack. The three sub-metrics of impact metrics include confidentiality, integrity, and availability.
Temporal metrics reflect the characteristics of a vulnerability that change over time. But it doesn’t consider the different user environments. Current exploitability and the availability of remediating factors are the primary considerations here. Temporal metrics have sub-components called Exploit Code Maturity, Remediation Level, and Report Confidence.
Environmental metrics represent the characteristics of a vulnerability while considering the user’s environment. These metrics allow the organization to customize the base CVSS score depending on security requirements and modification of base metrics.
A CVSS base score can be anything between 0.0 and 10.0. The base score is derived from the exploitability score and impact score. The base score is mandatory, whereas temporal and environmental scores are optional. But the base score can be modified by scoring the temporal and environmental metrics. This helps to understand the severity of the vulnerability in each environment at a given point in time.
Figure 1. CVSS scoring example - Holm Security's Security Center
CVSS is a critical methodology to identify the severity of vulnerabilities and is an essential part of any Next-Gen Vulnerability Management solution. It has evolved to provide a shared vocabulary for solution providers to convey the severity of vulnerabilities. However, CVSS should ideally be combined with threat intelligence that will identify specific threats such as ransomware as well as other exploit types so that you will be able to concentrate on the most critical risks threatening your business. Thereby enhancing your remediation efforts and lowering your attack surface.
Why CVSS scoring is a must in any vulnerability management program
15th of June 10:00 - 11:00 AM CET