The Common Vulnerability Scoring System (CVSS)
When you have discovered a vulnerability, have you ever been confused about how to determine the risk level of that vulnerability or the time-frame in which that vulnerability should be addressed?
Among the many publications in the NIST (National Institute of Standards and Technology) library, there are tools to help score a vulnerability and provide guidance on the time-frame in which the vulnerabilities addressed.
Let’s look at the first component, the risk calculator. This calculator can be found at:
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
This calculator allows the user to provide a series of parameters related to the risk. For example, the calculator allows the user to provide the attack vector, the attack complexity, and the impact based on confidentiality, integrity, and availability (the standard elements of security). In addition to the base metrics, the calculator allows the user to provide parameters that determine the temporal and environmental metrics.
This is a very useful tool when trying to determine a risk level for an identified vulnerability. This can also be used as justification when considering remediation.
The second beneficial outcome when using this tool is to leverage the scores to determine remediation times. For example, if the CVSS calculator determines a CVSS Base Score of 10.0, you may determine that the vulnerability creates a “Critical” risk and critical risks must be remediated within 15 days of discovery or patch publication. Similarly, you may decide that a CVSS base score of 5.0 creates a “Medium” risk and must be remediated within 60 days of identification or patch publication.
Depending on the operating systems and platforms that you use, the publisher may provide you with CVSS scores. This may provide you the initial guidance on remediation times.
The key message is to understand the risk level created by a vulnerability and have a defined plan to remediate or address the vulnerability.