It wasn’t too many years ago when trying to gauge the actual risks that a software vulnerability created for your network amounted to little more than guesswork.
Security managers either had to take the software vendor’s word for the severity of the flaw, rely on the advice of their security vendors or glean information from security advisories or press reports.
It made choosing which vulnerabilities needed top priority part science, part art and part gut feeling. Not any more.
In the past few weeks the Forum of Incident Response and Security Teams (FIRST) announced a significant update of the Common Vulnerability Scoring System (CVSS).
In the latest version, CVSS enhances the formula that the organisation uses to calculate the severity of a vulnerability. The enhancement should prove very useful to security managers trying to prioritize security risks.
The CVSS evaluates flaws based on three primary scores: base, temporal and environmental.
Base Score. The Base Score quantifies the most fundamental qualities of a vulnerability, such as its access vector, complexity and the overall impact if the vulnerability is exploited successfully. Under the scoring system, these aspects of a vulnerability don’t change.
Temporal Score. This represents such things as how complex is the process is to exploit a vulnerability on a target system, and the effectiveness of the available patch or workarounds.
Thus, a vulnerability that has a proven exploit with no fix available would have a high Temporal Score. The temporal risk would decrease when a patch or fix became available.
Environmental Score. This metric represents the risk the vulnerability creates in a specific IT environment and measures such aspects as the amount of damage a successful exploit could inflict, the distribution of vulnerable systems and the business value of vulnerable systems.
For instance, a vulnerability that affects a high number of servers that store regulated information would score higher than a flaw that affects a few systems that don’t manage sensitive information.
The calculator is available here, and more detail about how the scoring system works can be found in this guide.
While this latest version is good news for security managers, as it adds additional granularity to assessing vulnerabilities, it also more accurately reflects newer trends in the types of vulnerabilities that attackers are targeting.
For instance, this version now accommodates additional classes of vulnerabilities, such as those residing on client systems that require some level of user interaction to exploit. In the previous standard, it was not possible to accurately calculate a score for these types of vulnerabilities.
This is important, as attackers are increasingly moving away from targeting servers and focusing more on flaws in desktop software and browsers, where users are lured to a malicious site for compromise.
CVSS already is widely adapted, and is being used increasingly to help measure and prioritize vulnerabilities. For instance, the Payment Card Industry Data Security Standard (PCI DSS) relies on the CVSS as part of its security standard.
PCI DSS mandates that all merchants and processors handling credit card transactions fix all vulnerabilities rated at 4.0 or higher within a certain number of days. And the National Vulnerability Database (NVD) supports the CVSS for the Common Vulnerabilities and Exposure dictionary (CVE), which is a dictionary used by the industry to ensure that every vulnerability is uniquely named.
The NVD provides CVSS "base scores" that represent the innate characteristics of each vulnerability, and the calculator supports US government agencies to customize vulnerability impact scores based on the FIPS 199 System ratings.
Enterprises also can use CVSS as an independent source to rank vulnerability severities. And it could be a good idea for them to base remediation policies that call for all vulnerabilities with a CVSS score of eight or higher to be fixed immediately, and prioritize down from there.
CVSS is yet another example of an open standard that is helping to make it easier for security managers, vendors and organizations to make better decisions when it comes to fixing software vulnerabilities, and it’s one you might want to consider putting to use right away.
Hot or not: The Forum of Incident Response and Security Teams (FIRST) unveils updated common vulnerability scoring system
By Amol Sarwate, on Sep 11, 2007 3:03PM