Are vulnerability scores misleading you? Understanding CVSS severity and using them effectively

Are vulnerability scores misleading you? Understanding CVSS severity and using them effectively>
Sysdig Blog – Miguel HernÃ¡ndez
MITRE defines a vulnerability as: âA weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability.â

The lifecycle of a vulnerability When the vulnerability is registered, we have an ID that identifies it. This will help us to identify the vulnerability and check if we are being impacted or not. But where is it registered?

One of the most common sites, but not the only one, is Common Vulnerabilities and Exposures (CVE). MITRE Corporation is the organization that identifies, defines, and catalogs publicly disclosed cybersecurity vulnerabilities and shares that information of CVE-IDs publicly. Vulnerability information is also shared with the NIST organization, where additional information may be added on to provide further details or security guidance. That information lives within NISTâs National Vulnerability Database (NVD) and is organized by CVE-IDs.

Other states have their own system to catalog and store their vulnerabilities, such as the Chinese National Vulnerability Database (CNNVD) or Japan Vulnerabilities Notes (JVN). But in this article, we focus on the NVD.

How the score of a vulnerability is calculated The metrics used in CVSS v3.1, the latest version, assess the different elements that depend on the exploitation process and the impact, resulting in the final severity score. The first thing we can find in the documentation is that CVSS measures severity, not risk.

The metrics used in CVSS v3.1, the latest version, assess the different elements that depend on the exploitation process and the impact, resulting in the final severity score. The first thing we can find in the documentation is that CVSS measures severity, not risk.

Attack Vector (AV) Attack complexity (AC) Privileges Required (PR) User interaction (UI) Scope (S) CIA (Confidentiality, Integrity and Availability) The final format of CVE-2022-22965 is a vector with this information: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

>From the CVSS score calculation, several derivations appear that can be of help when evaluating the safety of a system. Some of them are:

Common Misuse Scoring System (CMSS) Common Configuration Scoring System (CCSS) Common Weakness Scoring System (CWSS) Exploit Prediction Scoring System What is the actual probability of a vulnerability being exploited by an attacker. That probability is explained by the Exploit Prediction Scoring System (EPSS). The EPSS model produces a probability score that, the higher the score, the greater the likelihood that a vulnerability will be exploited.

The score is maintained by the same organization as the CVSS, MITRE, which guarantees its consistency with the above-mentioned vulnerability taxonomies and classification systems. Stakeholder-specific Vulnerability Categorization The Stakeholder-specific Vulnerability Categorization (SSVC) is mostly a conceptual tool for vulnerability management. The goal of SSVC is to be risk-oriented, be more transparent in the calculation process, and be able to scale the quantification of vulnerability risk through automation.

Vendorâs scoring Vulnerability Priority Rating (VPR) is maintained by Tenable and also uses the severity and the facility to be exploited, similar to EPSS.

Vertical-specific approaches Relevant to the medical sector, Risk Scoring System for Medical Devices (RSS-MD) is being considered and at a more generic level. Relevant to the manufacturing industry, Industrial Vulnerability Scoring System (IVSS) incorporates part of its calculation factors such as physical security, among others.
Link: https://sysdig.com/blog/vulnerability-score-cvss-meaning/