Understanding CVSS: Applications of The Common Vulnerability Scoring System

By Tanhaz Kamaly - Partnership Executive, UK, Dialpad UK [ Join Cybersecurity Insiders ]
3563

Vulnerability threat management is critical because cybercrime is a constant and global risk. Cybercriminals are willing to take advantage of any vulnerability in software to gain access to networks and devices.

The repercussions for software developers and organizations using that software can be severe. Users have to deal with the outcomes of an attack, such as ransoms or data theft, and may also face legal ramifications, financial losses, and damage to their professional reputation.

It is not enough to rely on creators to stay on top of the vulnerabilities in their software and provide the fix. While developers should test their products, assess for vulnerabilities, and fix them before release, end users should also have a robust plan for vulnerability threat management to protect themselves from the damaging repercussions of cybercrime.

The Common Vulnerability Scoring System is designed to help software developers and users assess the vulnerabilities in their software and create a robust VTM plan to ensure their systems are as secure as possible.

Software Vulnerabilities

More and more software vulnerabilities are discovered yearly, and cybercriminals are ready to infiltrate systems to their advantage. Software vulnerabilities are due to errors in code, such as bugs or gaps, that allow attackers to inject or alter a code giving them full access to the data of a system.

For example, a virtual contact centre software developer may identify coding vulnerabilities before their product is released or create a patch to fix the vulnerability, if it is discovered post-release.

What Is CVSS?

The Common Vulnerability Scoring System is used by software developers, vulnerability researchers, and threat management teams to identify software vulnerabilities. CVSS provides a standardized scoring system to rate the severity of software vulnerabilities. Those threats, and the actions required to nullify them, can then be prioritized effectively.

Now owned and managed by the Forum for Incident Response and Security Teams (FIRST), a US non-profit company, the CVSS is supported by a group of representatives from various industries dedicated to helping protect organizations from cyber threats.

Source

How Are Scores Calculated?

CVSS scores combine three sets of metrics:

Base Metrics

The base score represents the characteristics of the vulnerability and is a constant across user environments. The base score combines three sub-score elements:

Exploitability

This assesses how easily a vulnerability can be exploited and is based on four more sub-components:

  • Attack vector—scores the level of access required to exploit the vulnerability. If a vulnerability can be exploited remotely, it get a higher score than a vulnerability that can only be exploited when physically present.
  • Attack complexity—assesses factors outside the attacker’s control that affect their potential to exploit the vulnerability. If it’s easy for an attacker to exploit the vulnerability without any additional information, it will receive a high score.
  • Privileges required—this score is based on the level of privilege an attacker requires to exploit the vulnerability. If high-level authentication is required, it will receive a low score compared to no authentication at all.
  • User interaction— this score depends on whether the attacker requires the actions of another user to exploit the vulnerability. For example, an attacker may need a user to download a proposal for accounting and tax services template to activate the code they injected to exploit their software vulnerability. If the attacker can complete their task without further action from another user, the score will be higher.

Impact

The impact sub-score measures the potential consequences of the attack and comprises three factors:

  • Confidentiality—reflects the amount of data that could be compromised or lost.
  • Integrity—scores the level of manipulation the attacker can inflict on the data in the system and the trustworthiness of that data post an attack, applying features like ACID principles.
  • Availability—reflects the impact of the attack on another user’s ability to access the system. The score will be high if the system is inaccessible to others following an attack.

Scope

This focuses on the ability of an attack to impact other components in the system. If a vulnerability allows a potential attacker to access other areas of the system, then it will receive a high score.

Temporal Metrics

These can change over time and are based upon known exploitable vulnerabilities and the availability of patches or means to remediate those vulnerabilities. For example, a new vulnerability may be discovered for a business hosted VoIP software package, but it could take months for a fix to be developed to secure it.

A new vulnerability without any means to rectify it is high risk. If a patch or update is made available to secure the vulnerability, the score can be lowered.

Temporal metrics are based on:

  • Exploit code maturity—this reflects the availability of tools and methods required to exploit the vulnerability.
  • Remediation level—this score varies depending on when appropriate remediation becomes available to fix vulnerabilities.
  • Report confidence—measures the degree of confidence in the report’s accuracy. If a vulnerability is reported without evidence, it would receive a low score.

Environmental Metrics

This score is unique to the environment where the vulnerability was discovered. It’s unique because it requires a risk-based approach that considers an organization’s security protocols, how critical the vulnerable component is to their system and the impact of any security breaches via the vulnerability.

Use environmental metrics to customize the base score considering:

  • Accessibility—assess the impact of vulnerabilities on individual system components. A non-privileged user endpoint will have a lower score than an administrator’s endpoint.
  • Security – assess the security protocols in place to mitigate potential attacks. For example, using VPNs for remote workers to remove direct access to the internet.

CVSS Scores

CVSS scores range from 0.0 (no threat) to 10.0 (critical threat).

The base score comprises the exploitability and impact scores. However, the temporal and environmental scores help provide a deeper understanding of the vulnerability by considering the point of time and the user environment.

Base and temporal scores are usually generated by the software manufacturer, which will have used detailed data to identify any vulnerabilities during testing. The environmental scores are then calculated by the end users who can identify any unique factors that could affect the threat of the vulnerability and change the base and temporal scores.

Context Is Important

The base scores can be used alone. For a more accurate score, apply the temporal and environmental scores. Only the end users know the environment in which they use the software and whether that will heighten, or nullify, the threat of a vulnerability. Like niches affiliate marketing, where both parties work together, apply the metrics in context to make them more effective.

CVSS scores don’t reflect the potential impact or likelihood of an attack via the vulnerability, so it’s important to apply context. Don’t depend solely upon the CVSS scores to protect the systems critical to your organization.

Hackers do not focus on high-scoring vulnerabilities. Exploiting a low-scoring vulnerability may prove more profitable for them, especially if that vulnerability is overlooked to focus on those with higher scores.

For example, an old web server may have a high-scoring vulnerability. However, in your company, it’s not used to store sensitive data and is behind a VPN. While the CVSS score is high, it is not a high-risk vulnerability for your organization. These environmental factors mean the score can be reduced.

However, when your organization asked, “why microservices vs monolithic” and opted for microservices, you detected an unpatched vulnerability on the internet-facing system that contains all your customer records. This is a greater risk, so should be prioritized to reduce the threat of data theft and the penalties your organization will face if your customers’ data is stolen.

The goal should not be to channel all your resources into prioritizing high-scoring vulnerabilities, but to look at the broader context and establish which vulnerabilities are easier to exploit based on real-world working practices and the environment of your organization.

How to Apply CVSS Scores

An effective vulnerability management team will use the CVSS scores as a base and then apply both environmental and temporal scores and variables unique to them to develop a more accurate understanding of the exploitability of vulnerabilities and the impact they may have on their organization.

Your company may also have other legislation, such as PCI compliance, that must be considered when scoring vulnerabilities. VMTs can then prioritize action, patch vulnerabilities, and secure their systems based on the vulnerable asset and the potential damage that may be done if that vulnerability is exploited.

You can use online databases and threat intelligence tools to modify the base CVSS score. These can help you apply the environmental variables to determine the exploitability and impact of vulnerabilities. Then you can prioritize the vulnerabilities that would prove to be most dangerous to your organization if they were exploited.

Summing Up CVSS

The never-ending risk from software vulnerabilities provides a challenging task for VMTs. Whether you provide the best small business phone service or run a charity, CVSS is a critical tool for any organization to help identify potential vulnerabilities and assess their severity.

The standardized platform helps to simplify the process for any organization to help to strengthen its IT security.

Combining the CVSS scores with environmental factors and the unique complexities and challenges faced by their organization allows VMTs to identify the vulnerabilities that pose the most critical risks. Then, implement robust security measures, protect their systems from being exploited by cybercriminals, and reduce financial penalty threats, and damage to their enterprise’s reputation.

Ad
Join over 500,000 cybersecurity professionals in our LinkedIn group "Information Security Community"!

No posts to display