How to treat the Common security vulnerability scoring system correctly (CVSS)

for anyone dealing with software vulnerabilities, CVE and CVSS are usually the first steps in the search for details, and through these two steps one can discover the full details of the vulnerability.

The Common Vulnerability Scoring system (CVSS), which was born in 2007, is an industry open standard used to assess the severity of system security vulnerabilities. Cvss is now in the second version, and the third edition is under development. Its main purpose is to help people establish criteria for measuring the severity of vulnerabilities, so that people can compare the severity of vulnerabilities to determine the priority of handling them. The CVSS score is based on a series of measurements on the dimensions called Measurements (Metrics). The final score for the vulnerability was 10, with a minimum of 0. Scoring 7~10 vulnerabilities are generally considered to be more serious, scoring in 4~6.9 between the intermediate vulnerabilities, 0~3.9 is a low-level vulnerability.

Most commercial vulnerability management software is based on Cvss, so the perspective of the vulnerabilities is usually from the cvss points of view. Although Cvss has a significant effect in terms of rapid vulnerability prioritization and screening vulnerabilities, the sorting speed is often based on the circumstances in which the enterprise has localized its configuration.

Cvss is a powerful monitoring tool, but all the metrics relied on to score are very general. In order to achieve the highest monitoring efficiency, it is necessary to localize the CVSS to a specific environment. But the reality is that most businesses don't get sick of doing that. They use information directly from Rapid7, Qualys, and tenable companies, and are not specifically configured according to the specific environment and specific risks of the enterprise.

Rapid7, for example, said bluntly when talking about Cvss that CVSS basic metrics only assess the potential risks of vulnerabilities, and that no time and environmental data are required to be collected during the evaluation process. Therefore, the vulnerability score by CVSS Basic metrics does not take into account the overall situation across the company.

Strictly speaking, the CVSS score does not represent the probability that a specific event may occur. It only represents the probability of a company being invaded successfully.

Jack Jones, the chairman of the Cxoware company, and Jack Jones, a partner in measuring and managing information risk, published some critical remarks about Cvss at the recent "Information Security World" conference.

Cvss is a very promising tool, but people know very little about it. Most companies use Cvss in the wrong way.

Jones is not the only critic of Cvss. Some argue that Cvss does not do well in the formulation of security risks, and that its process of assessing vulnerability risks may be too complex.

Another problem is that Cvss is often used for vulnerability scoring, which in turn is combined with risk metrics modules. As a result, it wastes resources and the company has no way of identifying the most important security issues.

Jones ' main concern for CVSS stems from the system's weighted model. Cvss's documentation does not include the intrinsic logic to determine weight allocation, so users are using Cvss without understanding the principle. According to Jones ' personal experience, these weights are often applied only to a small number of special cases, but not to the generalization of most security events. If you take into account the ambiguity in the description, limitations, and application scenarios, in some cases the CVSS score may be completely meaningless. Now that users are using these weights, developers should provide at least a few appropriate instructions to let the user decide when to use them in an informed state.

Design and implementation are the only indicators for evaluating statistical tools such as Cvss. In the recently released book, "The statistics are wrong," the authors write, "Even in the hands of the wisest of the users, statistics are often wrong." It is surprising that scientists are using statistics in a wide range of errors. For users who use Cvss, we should re-emphasize the author's point of view.

The CVSS score Calculator allows users to customize the weights to fit the user's environment. However, most companies still use the standard CVSS weights and do not make manual customizations. In fact, each company should determine its weight and score based on its own circumstances, rather than using the official default value provided. If you confirm that the weight of the workload is too heavy, you can start by customizing the CVSS environment and time variables, and adjust the weight of the adjustment to later do.

Cvss is a powerful tool that provides a wide range of assessment dimensions. For those who want to quickly get a brief score on the vulnerability, CVSS is capable. However, rapid and concise assessments do not meet the needs of information security staff. Each company should tailor the vulnerability management strategy to its own circumstances. The generalization score may be useful, but it cannot be optimized.

Take the following steps to make Cvss more effective:

• Understand the way companies are exposed to risk. This is the only way to understand Cvss and bind it to the vulnerability management project.

• Determine the company's loss exposure. Ultimately, the effect of such efforts to fix vulnerabilities is reflected in reducing corporate losses. Attention should be focused on the impact of the vulnerability on the business. For example, sensitive information disclosure vulnerabilities that are found on web-oriented systems should have greater precedence than those that are not open to the outside world.

• Need to ensure that the company's vulnerability score is not based on the CVSS default settings. You should change the CVSS environment and time variables to get a complete score.

• If the company also encounters two vulnerabilities: one Cvss scored very high but has not yet been invaded; the other Cvss scored poorly but has been invaded. How should companies decide? The more companies can bind CVSS and vulnerability management projects, the easier it is to make such decisions. Although two companies use Cvss, the depth of CVSS utilization may be quite different. By customizing the Cvss, you can play the function of the rating system as much as possible and allow the enterprise to make more informed judgments.