Breaking Down the CVSS

Vulnerabilities vary across the board in exploitability, risk, and threat. CVSS is a free and open set of metrics used to score the potential severity of IT vulnerabilities. It designates each vulnerability with a numerical severity rating between 0.0 and 10.0, with the number increasing along with the severity.

CVSS standardizes the methodology used in identifying and prioritizing the threat posed by any given vulnerability. This standardization facilitates collaboration between different security communities and enables infosec teams to apply a uniform method across different hardware and software platforms within their organizations.

Danny Ocean briefs the gang on CVSS

How It Works: CVSS Score Metrics

Each CVSS score is composed of up to three metrics: Base, Temporal, and Environmental.

CVSS Base Score Metric Group

This metric represents a vulnerability’s attributes that are constant across time and environment. This metric group is composed of subsets: Exploitability, Scope, and Impact.

The Exploitability metric refers to the ease and means by which a given vulnerability is exploited. There are 4 further sub-components to this set.

• Attack Vector: this score is determined by the context of the exploit. How remote can the attacker be to gain access to the vulnerability. Does an attacker need physical access to a device, or can an exploit be executed outside of a company’s network?
• Attack Complexity: this score refers to the conditions required for a successful attack. Does a vulnerability require extensive preparation on part of the attacker for a successful exploit?
• Privileges Required: this score describes the level of privileges required before an exploit can be executed.
• User Interaction: Can the vulnerability be exploited at will, or is another human user required for a successful exploit?

The Impact metric measures the consequences of an exploited vulnerability. There are three further sub-components that contribute to this score.

• Confidentiality: this score corresponds with the amount of data an attacker has access to after a successful exploit.
• Integrity: this score corresponds to the attacker’s ability to manipulate the data on a compromised system.
• Availability: this score corresponds with the system’s accessibility for authorized users after a successful exploit.

Scope relates to the possibility that the exploited vulnerability can lead to issues outside the original jurisdiction of the vulnerable component. An example would be if the attacker could access the underlying operating system after the initial exploit.

CVSS Temporal Metric Score Group

This metric relates to characteristics of a vulnerability that change over time. This group has three sub-components: Exploit Code Maturity, Remediation Level, and Report Confidence.

• Exploit Code Maturity: this score corresponds with the likelihood a vulnerability will be attacked based on the availability of exploit techniques, code, or active exploitation.
• Remediation Level: this score corresponds with how available and viable a fix is for a vulnerability. An unproven or temporary fix won't rate the same as a tried and true official fix.
• Report Confidence: this score measures the amount of available information about a vulnerability and that information’s credibility.

CVSS Environmental Score Metric Group

This metric is a modifier that’s used by IT teams within an organization to tailor the CVSS score to correspond with the importance of the affected asset within their organization.

• Security Requirements: this modifier corresponds with the value of the affected asset. A vulnerability that leads to loss of customer credit data would be scored higher than a workstation with no access to privileged information.
• Modified Base Metrics: this modifier accounts for any mitigations that an organization has put into place, such as security configurations, authentication requirements, or best practices training across the organization.

CVSS Limitations

The Common Vulnerability Scoring System represents the severity of a vulnerability under lab conditions, but it doesn’t necessarily score the vulnerability as it is within the context of your unique IT environment. The potential consequences of a successful exploit in one organization may look wildly different than the consequences in another. CVSS is just one piece to the complete and healthy cybersecurity posture puzzle. Another piece is an all-in-one vulnerability management platform that uses the framework CVSS provides and bases prioritization on the specific needs and structure of your organization.