Nov 17, 2020
Vulnerabilities vary across the board in exploitability, risk, and threat. CVSS is a free and open set of metrics used to score the potential severity of IT vulnerabilities. It designates each vulnerability with a numerical severity rating between 0.0 and 10.0, with the number increasing along with the severity.
CVSS standardizes the methodology used in identifying and prioritizing the threat posed by any given vulnerability. This standardization facilitates collaboration between different security communities and enables infosec teams to apply a uniform method across different hardware and software platforms within their organizations.
Danny Ocean briefs the gang on CVSS
Each CVSS score is composed of up to three metrics: Base, Temporal, and Environmental.
This metric represents a vulnerability’s attributes that are constant across time and environment. This metric group is composed of subsets: Exploitability, Scope, and Impact.
The Exploitability metric refers to the ease and means by which a given vulnerability is exploited. There are 4 further sub-components to this set.
The Impact metric measures the consequences of an exploited vulnerability. There are three further sub-components that contribute to this score.
Scope relates to the possibility that the exploited vulnerability can lead to issues outside the original jurisdiction of the vulnerable component. An example would be if the attacker could access the underlying operating system after the initial exploit.
This metric relates to characteristics of a vulnerability that change over time. This group has three sub-components: Exploit Code Maturity, Remediation Level, and Report Confidence.
This metric is a modifier that’s used by IT teams within an organization to tailor the CVSS score to correspond with the importance of the affected asset within their organization.
The Common Vulnerability Scoring System represents the severity of a vulnerability under lab conditions, but it doesn’t necessarily score the vulnerability as it is within the context of your unique IT environment. The potential consequences of a successful exploit in one organization may look wildly different than the consequences in another. CVSS is just one piece to the complete and healthy cybersecurity posture puzzle. Another piece is an all-in-one vulnerability management platform that uses the framework CVSS provides and bases prioritization on the specific needs and structure of your organization.
Beyond Subjectivity: Sharpening CVSS with Asset ContextMichael Assraf November 20, 2020
What is the Common Vulnerability Scoring System (CVSS)?Kent Weigle November 17, 2020
What is a Vulnerability Assessment?Kent Weigle October 13, 2020
Prioritizing Vulnerabilities: A Holistic ApproachShani Reiner October 13, 2020
Sealing the Patch GapDavid Asraf September 08, 2020