The Common Vulnerability Scoring System (CVSS) attempts to assign severity scores to vulnerabilities. For those who's interested to see what's going on, check out the score report site
I know CVSS has been kind of turned to a de-facto standard to measure security vulnerability impact but even version 3 has been improved significantly, I do Not rely on it when it comes to risk assessment of vulnerabilities. for our firm it has been more like an isolated scoring system. it does not give you the real risk factor behind a security vulnerability and the reason is that I believe the context and dynamic of attack vectors change impact and severity often and makes an static scoring not quite useful. but that's just my opinion and the way we uniquely assess risk and score a vulnerability.
... it does not give you the real risk factor behind a security vulnerability and the reason is that I believe the context and dynamic of attack vectors change impact and severity often and makes an static scoring not quite useful.
The beauty of this forum is that you can voice a dissenting opinion, but you know what they say major wins. I would not go as far as saying the vulnerability scores in NVD are calculated in a vacuum, but some days it feels that way. CVSS scoring is robust, but I agree with you that it can be and should be improved - it is just way too qualitative and subjective to my liking. It is more art than science. @Kaveh how do you imagine taking into account the dynamic nature of threats? How could the calculator be improved?
@ChuxingSome more comments on the CVSS scheme: https://securityintelligence.com/calling-into-question-the-cvss/
I agree with @AppDefects
"The three metric groups of the CVSS do not account for the risk posed based on the business value of an asset, nor were they ever supposed to. The CVSS is a severity rating, not a risk score. The environmental score can modify the base score by taking into consideration local mitigation factors and configuration details. It can also adjust the impact to an asset’s confidentiality, integrity and availability (CIA) if the vulnerability were exploited. However, it is still a measure of severity and does not consider the value of the exposed asset to the organization, which is a key risk factor."
Many excellent points expressed here.
CVSS is quite subjective IMHO, but nonetheless a useful relative gauge with certain degree of 'common knowledge', thus serve a purpose. One of course cannot treat this as a sacrosanct religious standard.
CVSS has is applicable usefulness, sometimes easy to reference with non-technical, particularly management.
I use CVSS as a teaching tool to introduce the concepts to college students who otherwise may not have hands-on exposures to infosec exposures.
Another useful visual tool for educating general public on infosec is the interactive graphical representation on reported security incidents (believe someone has posted before, but I am posting the link again):
thanks @AppDefects, I do agree CVSS is even more than robust, the indicators are artistic and as @Chuxing mentioned, it is a wonderful tool to teach the concept. However, it is not a metric for Risk as @Caute_cautim indicated, and that is my only problem with it.
after FIRST is so insisting in 3.1 that CVSS is really a severity score, I am thinking that we are the source of problem I would blame Community in general that has tied CVSS strongly to vulnerability scanning and has forgot about assessment of a vulnerability in context of workflow and structure of an organization. Add to this misconception of ‘let’s mitigate Risks with higher CVSS score’, and now CVSS is an integral part of vulnerability assessment in every single popular scanner. that tells me it is nothing wrong particularly with CVSS, I think FIRST even better stop adding more indicators to it, it is enough sophisticated 😊 what needs to be improved, in my humble opinion, is utilizing CVSS in right time right place.
@Kaveh My personal take, this is very dynamic and increasingly so. We should be focused on intelligently patching systems, or putting in protective safeguards to at least mitigate the risk or potentially high risk that cyber criminals will be actively targeting various sectors or systems. However, as we have seen recently, with the Citrix zero day, nothing is absolutely perfect. As no one knew about it, until the perpetrator had already left their tools within the target networks, ready for a rainy day, in the hope no one had already blocked the entry point etc. If you have the associated collective collaboration and maturity to share information within respective industries, this may actually improve things or provide early warning without given away the game to the originator.
Apply these with ethical AI and ML, may also speed up the reaction times, and early warning systems. As you state, if you make a system too complex, no one will use it or it becomes next to useless or its actual meaning actually is lost over time. CVSS is a good baseline, but we need more, as the new attacks are invented or discovered as we progress. Vulnerability management does need to be tailored to each and every organisation and its specific needs, there are always different structures, and ways to do things including business.