The Common Vulnerability Scoring System (CVSS) offers a way to capture the major features of a vulnerability and produce a numerical score showcasing its severity. The numerical score can then be translated into a qualitative representation such as low, medium, high and critical to assist companies to effectively assess and prioritize their vulnerability management processes.
This severity level is based on a self-calculated CVSS score for each specific vulnerability. CVSS is an industry-standard vulnerability metric and they are:
For CVSS v3, security experts make use of the following severity rating system:
0.1-3.9 Low
4.0-6.9 Medium
7.0-8.9 High
9.0-10.0 Critical
For critical vulnerabilities, it’s advised that you upgrade or patch quickly, except if you have other mitigating measures that are put in place. For instance, a mitigating factor may be if your installation is not accessible from the internet.
Vulnerabilities that score in the high range usually have some of the following features:
Vulnerabilities that score in the medium range normally have some of the following features:
Vulnerabilities in the low range normally have little impact on a company’s business. The exploitation of such vulnerabilities typically needs local or physical system access.
The scores measure the probability that a component will be compromised and will not behave according to specifications. They neither measure the probability nor the severity of the damage. Therefore, they do not measure risk as defined by ISO 1491.
The scores offer a metric to assess the probability of damage or system malfunctions. The adaptation of these metrics by the environmental metric group helps in this assessment.
The CVSS is mainly significant for manufacturers in the post-market phase. Manufacturers must always keep an eye on the messages about vulnerabilities and decide whether measures need to be taken. It’s in this decision-making process and when prioritizing measures that the scores are useful.
Obviously, a product with a vulnerability that can only be exploited by accessing the product does not have the same priority as a product that can be attacked remotely through the network without the input of a user.
The MDR demands that criteria be established in the PMS plan whereby manufacturers take preventative and corrective measures. The metrics of the CVSS lend themselves to this.
In inspections, inspectors and auditors will choose the vulnerabilities with the highest score so as to check whether the manufacturer has detected and eliminated the vulnerability effectively and efficiently. Notifying the user and the authorities of the measures in compliance with the law is part of the inspections.
There is no point in documenting every vulnerability reported in the risk table. This would be too excessive. But manufacturers should check the following for the vulnerabilities:
The malfunctioning of the affected parts has already been analyzed in the risk table. Otherwise, it would need to be included.
The probabilities estimated in the risk table agree with the actual events and the CVSS assessment. Otherwise, they need to be corrected and the risks re-evaluated.
The malfunction of components that may occur because of the vulnerabilities is carefully evaluated in the risk table. For instance, it may be the case that the manufacturer has already detected that in a cyber attack the components offer corrupt data but have not considered that the attack may cause a memory leak, which causes the whole system to crash. This would also be included to the risk table and the risks would be re-evaluated.
If the vulnerabilities reported may lead to system malfunctions that have not been looked into, manufacturers must evaluate the effects on users, patients and third parties.
It’s ideal to work in two steps and, if necessary, with two work instructions or procedure specifications:
February 2021 Patch Tuesday Rundown
Kent Weigle March 03, 2021Could the Vulnerability Fujiwhara Effect Be the New Normal?
Kent Weigle January 18, 2021Six Ways to Improve Your Patch Management Practices
Kent Weigle January 05, 2021Top Trending CVEs of January 2021
Kent Weigle February 01, 2021So I Really Have to Update Chrome?
Kent Weigle February 08, 2021