https://community.isc2.org/t5/Threats/CVSS-Prioritization/m-p/73361#M1360 <P>Hi&nbsp; ,</P><P>&nbsp;</P><P>We generally rate/ ranks our pen testing and other security Risks using the <A href="https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L" target="_blank" rel="noopener">CVSS</A> methodology .&nbsp; The big gap we find is that in certain cases we have&nbsp;</P><P>&nbsp;</P><P>1) A high CVSS threat mapped against a low value asset</P><P>&nbsp;</P><P>2) A high CVSS threat mapped against a very very complex exploit&nbsp; which has very low probability.</P><P>&nbsp;</P><P>Has anyone tried the usage <A href="https://www.first.org/epss/research" target="_blank" rel="noopener">EPSS</A>&nbsp;for this purpose ?&nbsp; Do teams use DREAD on top of CVSS ?</P><P>&nbsp;</P><P>Let me know your thoughts .</P><P>&nbsp;</P> Sun, 25 Aug 2024 05:33:17 GMT rsrinivasanhome 2024-08-25T05:33:17Z https://community.isc2.org/t5/Threats/CVSS-Prioritization/m-p/73361#M1360 <P>Hi&nbsp; ,</P><P>&nbsp;</P><P>We generally rate/ ranks our pen testing and other security Risks using the <A href="https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L" target="_blank" rel="noopener">CVSS</A> methodology .&nbsp; The big gap we find is that in certain cases we have&nbsp;</P><P>&nbsp;</P><P>1) A high CVSS threat mapped against a low value asset</P><P>&nbsp;</P><P>2) A high CVSS threat mapped against a very very complex exploit&nbsp; which has very low probability.</P><P>&nbsp;</P><P>Has anyone tried the usage <A href="https://www.first.org/epss/research" target="_blank" rel="noopener">EPSS</A>&nbsp;for this purpose ?&nbsp; Do teams use DREAD on top of CVSS ?</P><P>&nbsp;</P><P>Let me know your thoughts .</P><P>&nbsp;</P> Sun, 25 Aug 2024 05:33:17 GMT https://community.isc2.org/t5/Threats/CVSS-Prioritization/m-p/73361#M1360 rsrinivasanhome 2024-08-25T05:33:17Z https://community.isc2.org/t5/Threats/CVSS-Prioritization/m-p/73369#M1362 <BLOCKQUOTE><HR /><a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/939039773">@rsrinivasanhome</a>&nbsp;wrote:<P>1) A high CVSS threat mapped against a low value asset</P><HR /></BLOCKQUOTE><P>Even a low-value asset can be used as a "jump box" to attack higher valued assets or to launch an internal denial-of-service attack.</P><P>&nbsp;</P><P>&nbsp;</P><BLOCKQUOTE><P>2) A high CVSS threat mapped against a very very complex exploit which has very low probability.</P><HR /></BLOCKQUOTE><P>That is already baked into the CVSS score.&nbsp;&nbsp;</P><P>&nbsp;</P><P>We use the CVSS primarily to set a "remediation deadline", which is then adjusted primarily based on how publicly accessible the device is.&nbsp; So, a webserver in the DMZ may well get a same-day update, laptops "tomorrow night", and isolated assembly-line equipment may end up waiting for 3rd shift Sunday.</P><P>&nbsp;</P><P>Since most mitigations are "patch and reboot", it really helps to have an automated patching system (e.g. WSUS).&nbsp;&nbsp;</P><P>&nbsp;</P><P>We also strongly emphasize "if you can not afford downtime, invest in High-Availability and/or in network isolation".&nbsp;&nbsp;</P> Mon, 26 Aug 2024 04:00:22 GMT https://community.isc2.org/t5/Threats/CVSS-Prioritization/m-p/73369#M1362 denbesten 2024-08-26T04:00:22Z