topic Re: CVSS (Common Vulnerability Scoring System) data in Tech Talk

CVSS (Common Vulnerability Scoring System) data

Chuxing — Wed, 05 Feb 2020 19:26:09 GMT

The Common Vulnerability Scoring System (CVSS) attempts to assign severity scores to vulnerabilities. For those who's interested to see what's going on, check out the score report site

Re: CVSS (Common Vulnerability Scoring System) data

ericgeater — Wed, 05 Feb 2020 19:56:45 GMT

Looks like it may be behind the curve. Not a post for CVE-2020-0549

Re: CVSS (Common Vulnerability Scoring System) data

Beads — Wed, 05 Feb 2020 20:07:48 GMT

Intel has promised new microcode on patch Tuesday if I recall. You can trace much of this through the usual GitHub paths as well.

- b/eads

Re: CVSS (Common Vulnerability Scoring System) data

Kaveh — Wed, 05 Feb 2020 22:17:46 GMT

I know CVSS has been kind of turned to a de-facto standard to measure security vulnerability impact but even version 3 has been improved significantly, I do Not rely on it when it comes to risk assessment of vulnerabilities. for our firm it has been more like an isolated scoring system. it does not give you the real risk factor behind a security vulnerability and the reason is that I believe the context and dynamic of attack vectors change impact and severity often and makes an static scoring not quite useful. but that's just my opinion and the way we uniquely assess risk and score a vulnerability.

Re: CVSS (Common Vulnerability Scoring System) data

AppDefects — Thu, 06 Feb 2020 02:17:25 GMT

@Kaveh wrote:
... it does not give you the real risk factor behind a security vulnerability and the reason is that I believe the context and dynamic of attack vectors change impact and severity often and makes an static scoring not quite useful.

The beauty of this forum is that you can voice a dissenting opinion, but you know what they say major wins. I would not go as far as saying the vulnerability scores in NVD are calculated in a vacuum, but some days it feels that way. CVSS scoring is robust, but I agree with you that it can be and should be improved - it is just way too qualitative and subjective to my liking. It is more art than science. @Kaveh how do you imagine taking into account the dynamic nature of threats? How could the calculator be improved?

Re: CVSS (Common Vulnerability Scoring System) data

Caute_cautim — Thu, 06 Feb 2020 07:00:23 GMT

@ChuxingSome more comments on the CVSS scheme: https://securityintelligence.com/calling-into-question-the-cvss/

I agree with @AppDefects

"The three metric groups of the CVSS do not account for the risk posed based on the business value of an asset, nor were they ever supposed to. The CVSS is a severity rating, not a risk score. The environmental score can modify the base score by taking into consideration local mitigation factors and configuration details. It can also adjust the impact to an asset’s confidentiality, integrity and availability (CIA) if the vulnerability were exploited. However, it is still a measure of severity and does not consider the value of the exposed asset to the organization, which is a key risk factor."

Regards

Caute_cautim

Re: CVSS (Common Vulnerability Scoring System) data

Chuxing — Thu, 06 Feb 2020 14:55:29 GMT

Many excellent points expressed here.

CVSS is quite subjective IMHO, but nonetheless a useful relative gauge with certain degree of 'common knowledge', thus serve a purpose. One of course cannot treat this as a sacrosanct religious standard.

CVSS has is applicable usefulness, sometimes easy to reference with non-technical, particularly management.

Re: CVSS (Common Vulnerability Scoring System) data

Chuxing — Thu, 06 Feb 2020 15:03:42 GMT

I use CVSS as a teaching tool to introduce the concepts to college students who otherwise may not have hands-on exposures to infosec exposures.

Another useful visual tool for educating general public on infosec is the interactive graphical representation on reported security incidents (believe someone has posted before, but I am posting the link again):

https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Re: CVSS (Common Vulnerability Scoring System) data

Kaveh — Thu, 06 Feb 2020 21:28:35 GMT

thanks @AppDefects, I do agree CVSS is even more than robust, the indicators are artistic and as @Chuxing mentioned, it is a wonderful tool to teach the concept. However, it is not a metric for Risk as @Caute_cautim indicated, and that is my only problem with it.

after FIRST is so insisting in 3.1 that CVSS is really a severity score, I am thinking that we are the source of problem I would blame Community in general that has tied CVSS strongly to vulnerability scanning and has forgot about assessment of a vulnerability in context of workflow and structure of an organization. Add to this misconception of ‘let’s mitigate Risks with higher CVSS score’, and now CVSS is an integral part of vulnerability assessment in every single popular scanner. that tells me it is nothing wrong particularly with CVSS, I think FIRST even better stop adding more indicators to it, it is enough sophisticated 😊 what needs to be improved, in my humble opinion, is utilizing CVSS in right time right place.

Re: CVSS (Common Vulnerability Scoring System) data

Caute_cautim — Thu, 06 Feb 2020 22:33:06 GMT

@Kaveh My personal take, this is very dynamic and increasingly so. We should be focused on intelligently patching systems, or putting in protective safeguards to at least mitigate the risk or potentially high risk that cyber criminals will be actively targeting various sectors or systems. However, as we have seen recently, with the Citrix zero day, nothing is absolutely perfect. As no one knew about it, until the perpetrator had already left their tools within the target networks, ready for a rainy day, in the hope no one had already blocked the entry point etc. If you have the associated collective collaboration and maturity to share information within respective industries, this may actually improve things or provide early warning without given away the game to the originator.

Apply these with ethical AI and ML, may also speed up the reaction times, and early warning systems. As you state, if you make a system too complex, no one will use it or it becomes next to useless or its actual meaning actually is lost over time. CVSS is a good baseline, but we need more, as the new attacks are invented or discovered as we progress. Vulnerability management does need to be tailored to each and every organisation and its specific needs, there are always different structures, and ways to do things including business.

Regards

Caute_cautim

Re: CVSS (Common Vulnerability Scoring System) data

JoshuaGabriel — Mon, 10 Feb 2020 22:20:57 GMT

The CVSS helps me to have a perception of the threat landscape based on my knowledge of the organization assets. Without it, I cannot really have an idea of the business risk introduced by the vulnerabilities. However, I am sometimes disappointed when I cannot find some CVE IDs in the NVD database.