Re: CVSS v3 Environmental Considerations

StevenJ6052 · ‎04-05-2020

My organization has begun using CVSS v3 as a critical metric in our vulnerability management program. We have several air gapped enclaves included in our program and I am looking for feedback on how others have leveraged the temporal or environmental portions of the CVSS v3 to tailor the base CVSS v3 spring of vulnerabilities to consider system architecture and implemented security controls to accurately access severity in their environment.

AppDefects · ‎04-06-2020

@StevenJ6052 wrote:
My organization has begun using CVSS v3 as a critical metric in our vulnerability management program. We have several air gapped enclaves included in our program and I am looking for feedback on how others have leveraged the temporal or environmental portions of the CVSS v3 to tailor the base CVSS v3 spring of vulnerabilities to consider system architecture and implemented security controls to accurately access severity in their environment.

I've used the calculator for years in our application security program and often come across information system owners that tell me that they are safe because their systems are air gaped and not connected to the Internet. I remind them that they are connected to "other" networks that in possible times of conflict could be infiltrated. There is also, always, the insider threat to consider. Sure, I've seen other systems that are truly air gaped usually in labs. For those, there would not be a network attack vector.

CraginS · ‎04-06-2020

@AppDefects wrote:
... There is also, always, the insider threat to consider. Sure, I've seen other systems that are truly air gaped usually in labs. For those, there would not be a network attack vector.

I am sure Rachel knows this aspect, but for other forum readers, I must remind all of the Stuxnet lesson: If you allow any use at all of portable USB devices by your users on the "air-gapped" network components, your network is not, in fact, truly air gapped and isolated. Sneakernet connections are just as significant as network connections using ethernet, wifi, Bluetooth, and other radio and cabling connections.

Also, remember that the insider threat has two parts: the intentionally malicious insider who actively attacks the network, and the naive or lazy insider who fails to follow mandated procedures and unknowingly brings malicious content into the system.

Craig

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts

StevenJ6052 · ‎04-06-2020

Thanks for the response.

My situation is not a user trying to avoid or deny responsibility for the security of their systems, but are looking to provide an accurate measure of their vulnerability. Treating a truly air gapped industrial control system the same as you would for an internet accessible general support system is not an accurate representation of vulnerability.

StevenJ6052 · ‎04-06-2020

Thanks for the response to my post

I appreciate the perspective you provide regarding supply chain and insider threats.

All too many people rush to dismiss risks in these situations, however the risk is still there, it just doesn't;t manifest itself through the usual attack vectors. Hence my question for how others have leveraged the CVSS scoring system to address these vulnerabilities in a responsible manner.