Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rsrinivasanhome
Newcomer II
‎08-25-2024 01:33 AM
‎08-25-2024 01:33 AM

CVSS - Prioritization

Hi  ,

 

We generally rate/ ranks our pen testing and other security Risks using the CVSS methodology .  The big gap we find is that in certain cases we have 

 

1) A high CVSS threat mapped against a low value asset

 

2) A high CVSS threat mapped against a very very complex exploit  which has very low probability.

 

Has anyone tried the usage EPSS for this purpose ?  Do teams use DREAD on top of CVSS ?

 

Let me know your thoughts .

 

Reply
1 Reply
denbesten
Community Champion
‎08-26-2024 12:00 AM
‎08-26-2024 12:00 AM

@rsrinivasanhome wrote:

1) A high CVSS threat mapped against a low value asset

Even a low-value asset can be used as a "jump box" to attack higher valued assets or to launch an internal denial-of-service attack.

 

 

2) A high CVSS threat mapped against a very very complex exploit which has very low probability.

That is already baked into the CVSS score.  

 

We use the CVSS primarily to set a "remediation deadline", which is then adjusted primarily based on how publicly accessible the device is.  So, a webserver in the DMZ may well get a same-day update, laptops "tomorrow night", and isolated assembly-line equipment may end up waiting for 3rd shift Sunday.

 

Since most mitigations are "patch and reboot", it really helps to have an automated patching system (e.g. WSUS).  

 

We also strongly emphasize "if you can not afford downtime, invest in High-Availability and/or in network isolation".  

Reply