Dec 16, 2020
The Common Vulnerability Scoring System (CVSS) offers a way to capture the major features of a vulnerability and produce a numerical score showcasing its severity. The numerical score can then be translated into a qualitative representation such as low, medium, high and critical to assist companies to effectively assess and prioritize their vulnerability management processes.
This severity level is based on a self-calculated CVSS score for each specific vulnerability. CVSS is an industry-standard vulnerability metric and they are:
For CVSS v3, security experts make use of the following severity rating system:
For critical vulnerabilities, it’s advised that you upgrade or patch quickly, except if you have other mitigating measures that are put in place. For instance, a mitigating factor may be if your installation is not accessible from the internet.
Vulnerabilities that score in the high range usually have some of the following features:
Vulnerabilities that score in the medium range normally have some of the following features:
Vulnerabilities in the low range normally have little impact on a company’s business. The exploitation of such vulnerabilities typically needs local or physical system access.
The scores measure the probability that a component will be compromised and will not behave according to specifications. They neither measure the probability nor the severity of the damage. Therefore, they do not measure risk as defined by ISO 1491.
The scores offer a metric to assess the probability of damage or system malfunctions. The adaptation of these metrics by the environmental metric group helps in this assessment.
The CVSS is mainly significant for manufacturers in the post-market phase. Manufacturers must always keep an eye on the messages about vulnerabilities and decide whether measures need to be taken. It’s in this decision-making process and when prioritizing measures that the scores are useful.
Obviously, a product with a vulnerability that can only be exploited by accessing the product does not have the same priority as a product that can be attacked remotely through the network without the input of a user.
The MDR demands that criteria be established in the PMS plan whereby manufacturers take preventative and corrective measures. The metrics of the CVSS lend themselves to this.
In inspections, inspectors and auditors will choose the vulnerabilities with the highest score so as to check whether the manufacturer has detected and eliminated the vulnerability effectively and efficiently. Notifying the user and the authorities of the measures in compliance with the law is part of the inspections.
There is no point in documenting every vulnerability reported in the risk table. This would be too excessive. But manufacturers should check the following for the vulnerabilities:
The malfunctioning of the affected parts has already been analyzed in the risk table. Otherwise, it would need to be included.
The probabilities estimated in the risk table agree with the actual events and the CVSS assessment. Otherwise, they need to be corrected and the risks re-evaluated.
The malfunction of components that may occur because of the vulnerabilities is carefully evaluated in the risk table. For instance, it may be the case that the manufacturer has already detected that in a cyber attack the components offer corrupt data but have not considered that the attack may cause a memory leak, which causes the whole system to crash. This would also be included to the risk table and the risks would be re-evaluated.
If the vulnerabilities reported may lead to system malfunctions that have not been looked into, manufacturers must evaluate the effects on users, patients and third parties.
It’s ideal to work in two steps and, if necessary, with two work instructions or procedure specifications:
A Step in the Right Direction – Binding Operation Directive 22-01Kent Weigle December 31, 2021
What is Configuration Management?Kent Weigle December 09, 2021
What is Automated Patching?Kent Weigle December 09, 2021
What is Risk-Based Vulnerability Management?Kent Weigle December 09, 2021
Vicarius Offers New Technology To Fix Log4j With No Vendor InvolvementEvan Kling December 20, 2021