Word of the Day: CVSS
Multiple choice: CVSS is
(a) A pharmacy. “CVSS just called. Our prescriptions are in.”
(b) The sound of compressed air, pronounced like “kvisssss”. “Those hand dryers sure do make a loud CVSS sound!”
(c) An Italian abbreviation meaning “turn very, very quickly”. “We’ve only got one measure after the CVSS mark to turn the page; it’s a good thing we can play trumpets one-handed!”
(d) A sneeze, as written in certain central European languages. “CVSS!” “Gesundheit!”
(e) A British Columbia vehicle inspection standard. “The new CVSS mobile web site makes it easy to check the B. C. regulations.”
(f) A way of classifying vulnerabilities. “This bug has the higher CVSS score, so let’s patch it first.”
If you selected (f), you’re right. CVSS is an acronym for “Common Vulnerability Scoring System.”
CVSS “provides an open framework for communicating the characteristics and impacts of IT vulnerabilities.” ~ A Complete Guide to the Common Vulnerability Scoring System Version 2.0, Mell, Scarfone, and Romanosky
If you have multiple vulnerabilities in products installed on your systems and can’t address them all immediately, how can you decide which ones to fix first? The CVSS score is a good starting point, because it provides a comparison that goes across all products and platforms, and the higher the score, the more important it is to address the vulnerability.
A CVSS score includes three parts:
- The Base score (0-10) rates the “intrinsic qualities” of a vulnerability.
- The Temporal score (0-10) reflects current understanding, including whether a fix is available or not. The vendor provides the base and temporal scores.
- The Environmental score (0-10) is unique to a user environment.
Each of these scores is based on a multiple-choice selection of a handful of metrics that are then combined in a formula to give the final score. The CVSS scoring result also includes a vector that shows which multiple-choice selection was used for each metric.
Let’s look at the environmental score metrics, because those are the ones that you will have to combine with the CVSS data from the vendor to determine your own vulnerability score.
Collateral Damage Potential goes from None to High and Not Defined, depending on the potential for loss of life, physical assets, productivity or revenue resulting from the vulnerability.
Target Distribution accounts for the portion of the total environment that could be affected by the vulnerability. For example, if the vulnerability applies to 50% of your servers, your Target Distribution metric value would be “Medium”.
There are three security requirements metrics, based on the data confidentiality, data integrity, and system and data availability impact to the organization or individuals associated with the organization. As an example, the Integrity Requirement metric would be rated low if loss of data integrity is likely to have only a limited adverse effect on the organization or employees or customers or other individuals associated with the organization.
In this example using the CVSS version 2 calculator, the environmental score is based on a low collateral damage potential, 25% or less of the systems potentially affected, and a low availability requirement. The confidentiality and integrity requirements are not defined, so they don’t influence the score. You can see that in this case, even though the vulnerability could be very serious, as shown by the base score of 7.8, it is much less important for this customer, who has an overall CVSS score of 1.3, because the environmental metrics reduce the overall score.
If you’re interested in seeing what influenced the base and temporal scores for this example, you can use the CVSS calculator and plug in the values shown in the CVSS v2 Vector. Each metric abbreviation is separated from its value by a colon, so for example, the Access Vector (AV) is Network (N), Access Complexity (AC) is Low (L), and so on.
Defining a metric like CVSS that is meaningful for an extremely wide range of conditions and environments is not an easy task, and the CVSS-SIG, a special interest group within FIRST, the Forum of Incident Response and Security Teams, has been working for several years defining CVSS version 3.
Just as CVSS version 2 addressed some shortcomings of version 1, the new version 3, which is expected to be revealed this summer, addresses changes in technologies, threats, and vulnerabilities and makes other improvements over version 2.
This blog just covers a few highlights of CVSS. You can learn more from the FIRST web site.
Now I’m going to pick up my prescriptions at CVS pharmacy, make sure I comply with the British Columbia CVSE regulations, and practice turning pages quickly, where indicated by the “V.S.” markings. Good health to you!