Common Vulnerability Scoring System: Facts To Note

June 25, 2022 Adeniyi Salau CYBER SECURITY 0

Highlighting Common Vulnerability Scoring System

 

The Common Vulnerability Scoring System (CVSS) is a risk assessment tool that is designed to convey the common attributes and severity of vulnerabilities in computer hardware and software systems. The third revision, CVSS 3.0, is a vendor-neutral, industry-standard, open framework for weighting the risks of a vulnerability using a variety of metrics. These weights combine to provide a score of the risk inherent in a vulnerability. The numeric score can be used to determine the urgency of the vulnerability, and the priority of addressing it. The benefits of the CVSS can be summarized as follows:

  • It provides standardized vulnerability scores that should be meaningful across organizations.
  • It provides an open framework with the meaning of each metric openly available to all users.
  • It helps prioritize risk in a way that is meaningful to individual organizations.

 

The Forum of Incident Response and Security Teams (FIRST) has been designated as the custodian of the CVSS to promote it’s adoption globally. The Version 3 standard was developed with contributions by Cisco and other industry partners. Version 3.1 was released in June of 2019. The figure displays the specification page for the CVSS at the FIRST website.

 

The image displays a screenshot of the specification page for CVSS at the Forum of Incident Response and Security Teams (FIRST) website at the URL https://first.org/cvss/specification-document

CVSS Metric Groups

Before performing a CVSS assessment, it is important to know key terms that are used in the assessment instrument.
Many of the metrics address the role of what the CVSS calls an authority. An authority is a computer entity, such as a database, operating system, or virtual sandbox, that grants and manages access and privileges to users.

CVSS Metric Groups

This represents the characteristics of a vulnerability that are constant over time and across contexts. It has two classes of metrics:

  • Exploitability – These are features of the exploit such as the vector, complexity, and user interaction required by the exploit.
  • Impact metrics – The impacts of the exploit are rooted in the CIA triad of confidentiality, integrity, and availability.

CVSS Base Metric Group

Criteria Description
Attack vector This is a metric that reflects the proximity of the threat actor to the vulnerable component. The more remote the threat actor is to the component, the higher the severity. Threat actors close to your network or inside your network are easier to detect and mitigate.
Attack complexity This is a metric that expresses the number of components, software, hardware, or networks, that are beyond the attacker’s control and that must be present for a vulnerability to be successfully exploited.
Privileges required This is a metric that captures the level of access that is required for a successful exploit of the vulnerability.
User interaction This metric expresses the presence or absence of the requirement for user interaction for an exploit to be successful.
Scope This metric expresses whether multiple authorities must be involved in an exploit. This is expressed as whether the initial authority changes to a second authority during the exploit.
PEOPLE ALSO READ:  MAC Addresses And IP Addresses: Highlighting The Facts
The Base Metric Group Impact metrics increase with the degree or consequence of loss due to the impacted component. The table lists the impact metric components.
Term Description
Confidentiality Impact This is a metric that measures the impact to confidentiality due to a successfully exploited vulnerability. Confidentiality refers to the limiting of access to only authorized users.
Integrity Impact This is a metric that measures the impact on integrity due to a successfully exploited vulnerability. Integrity refers to the trustworthiness and authenticity of the information.
Availability Impact This is a metric that measures the impact to availability due to a successfully exploited vulnerability. Availability refers to the accessibility of information and network resources. Attacks that consume network bandwidth, processor cycles, or disk space all impact the availability.

The CVSS Process

The CVSS Base Metrics Group is designed as a way to assess security vulnerabilities that are found in software and hardware systems. It describes the severity of a vulnerability based on the characteristics of a successful exploit of the vulnerability. The other metric groups modify the base severity score by accounting for how the base severity rating is affected by time and environmental factors.
The CVSS process uses a tool called the CVSS v3.1 Calculator, shown in the figure.
Image is a screenshot of the CVSS v3.1 Calculator, available at https://www.first.org/cvss/calculator/3.1
The calculator is like a questionnaire in which choices are made that describe the vulnerability for each metric group. After all choices are made, a score is generated. Pop-up text that explains each metric and metric value is displayed by hovering the mouse over each. Choices are made by choosing one of the values for the metric. Only one choice can be made per metric.
The CVSS calculator can be accessed on the CVSS portion of the FIRST website.
A detailed user guide that defines metric criteria, examples of assessments of common vulnerabilities, and the relationship of metric values to the final score is available to support the process.
After the Base Metric group is completed, the numeric severity rating is displayed, as shown in the figure.
Image is a screenshot of the CVSS v3.1 Calculator base score screen, which shows the base score after the choices are made on the calculator screen, available at https://www.first.org/cvss/calculator/3.1
A vector string is also created that summarizes the choices made. If other metric groups are completed, those values are appended to the vector string.
The string consists of the initial(s) for the metric, and an abbreviated value for the selected metric value separated by a colon. The metric-value pairs are separated by slashes. The vector strings allow the results of the assessment to be easily shared and compared.
The table lists the key for the Base Metric group.
Metric Name Initials Possible Values Values
Attack Vector AV [N, A, L, P] N = Network
A = Adjacent
L = Local
P = Physical
Attack Complexity AC [L, H] L = Low
H = High
Privileges Required PR [N, L, H] N = None
L = Low
H = High
User Interaction UI [N, R] N = None
R = Required
Scope S [U, C] U = Unchanged
C = Changed
Confidentiality Impact C [H, L, N] H = High
L = Low
N = None
Integrity Impact I [H, L, N] H = High
L = Low
N = None
Availability Impact A [H, L, N] H = High
L = Low
N = None
PEOPLE ALSO READ:  8 Expert Tips To Clear CEH Exam In First Attempt
The values for the numeric severity rating string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N are listed in the table.
Metric Name Values
Attack Vector, AV Network
Attack Complexity, AC Low
Privileges Required, PR High
User Interaction, UI None
Scope, S Unchanged
Confidentiality Impact, C Low
Integrity Impact, I Low
Availability Impact, A None
In order for a score to be calculated for the Temporal or Environmental metric groups, the Base Metric group must first be completed. The Temporal and Environmental metric values than modify the Base Metric results to provide an overall score. 

CVSS Reports

The ranges of scores and the corresponding qualitative meaning is shown in the table.
Rating CVSS Score
None 0
Low 0.1 – 3.9
Medium 4.0 – 6.9
High 7.0 – 8.9
Critical 9.0 – 10.0

Frequently, the Base and Temporal metric group scores will be supplied to customers by the application or security vendor in whose product the vulnerability has been discovered. The affected organization completes the environmental metric group to tailor the vendor-supplied scoring to the local context.

The resulting score serves to guide the affected organization in the allocation of resources to address the vulnerability. The higher the severity rating, the greater the potential impact of an exploit and the greater the urgency in addressing the vulnerability. While not as precise as the numeric CVSS scores, the qualitative labels are very useful for communicating with stakeholders who are unable to relate to the numeric scores.

PEOPLE ALSO READ:  Address Resolution Protocol: How It Works

In general, any vulnerability that exceeds 3.9 should be addressed. The higher the rating level, the greater the urgency for remediation.

Other Vulnerability Information Sources

There are other important vulnerability information sources. These work together with the CVSS to provide a comprehensive assessment of vulnerability severity. There are two systems that operate in the United States:
Common Vulnerabilities and Exposures (CVE)
This is a dictionary of common names, in the form of CVE identifiers, for known cybersecurity vulnerabilities. The CVE identifier provides a standard way to research a reference to vulnerabilities. When a vulnerability has been identified, CVE identifiers can be used to access fixes. In addition, threat intelligence services use CVE identifiers, and they appear in various security system logs. The CVE Details website provides a linkage between CVSS scores and CVE information. It allows browsing of CVE vulnerability records by CVSS severity rating.
Search the internet for Mitre for more information on CVE as shown in the figure.
Image is a screenshot of the CVE screen at Mitre.og, available at https://cve.mitre.org/
National Vulnerability Database (NVD)
This utilizes CVE identifiers and supplies additional information on vulnerabilities such as CVSS threat scores, technical details, affected entities, and resources for further investigation. The database was created and is maintained by the U.S. government National Institute of Standards and Technology (NIST) agency.
Image is a screenshot of the National Vulnerability Database (NVD) search screen, available at https://nvd.nist.gov/vuln/search
Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on individual and corporate level, I will be very glad to do that I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained includes staffs of Dangote Refinery, FCMB, Zenith Bank, New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training. 

I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.

 

Fact Check Policy

CRMNIGERIA is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.

 

       

Fact Check Policy
Contact Us
facebookShare on Facebook
TwitterPost on X
FollowFollow us
PinterestSave
truehost
telegram
CRMNuggets Whatsapp Channel

Related Posts:

About Adeniyi Salau 1549 Articles
Adeniyi Salau is a highly dedicated and committed Blogger of repute. He likes sharing his IT knowledge with others. My desire is to impact as many lives as possible with my IT skills. You can download my mobile APP. Download the ICTLOAD APP on Google Playstore. Thanks.

Be the first to comment

Leave a Reply

Your email address will not be published.


*