Common Vulnerability Scoring System
The Common Vulnerability Scoring System is a rating system is designed to provide open and universally standard severity ratings of software vulnerabilities. It has been created for creating a global framework for disclosing information about security vulnerabilities.
IT management must identify and assess vulnerabilities across many disparate hardware and software platforms. They need to prioritize these vulnerabilities and remediate those that pose the greatest risk. But when there are so many to fix, with each being scored using different scales how can IT managers convert this mountain of vulnerability data into actionable information? The Common Vulnerability Scoring System (CVSS) is an open framework that addresses this issue.
Ø Standardized Vulnerability Scores: When an organization normalizes vulnerability scores across all of its software and hardware platforms, it can leverage a single vulnerability management policy. This policy may be similar to a service level agreement (SLA) that states how quickly a particular vulnerability must be validated and remediated.
Ø Open Framework: Users can be confused when a vulnerability is assigned an arbitrary score. "Which properties gave it that score? How does it differ from the one released yesterday?" With CVSS, anyone can see the individual characteristics used to derive a score.
Ø Prioritized Risk: When the environmental score is computed, the vulnerability now becomes contextual. That is, vulnerability scores are now representative of the actual risk to an organization. Users know how important a given vulnerability is in relation to other vulnerabilities.
Throughout this document the following definitions are used:
- Vulnerability: a bug, flaw, weakness, or exposure of an application, system, device, or service that could lead to a failure of confidentiality, integrity, or availability.
- Threat: the likelihood or frequency of a harmful event occurring.
- Risk: the relative impact that an exploited vulnerability would have to a user's environment.
CVSS is composed of three metric groups: Base, Temporal, and Environmental, each consisting of a set of metrics, as shown in the figure below:
· Base: represents the intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments.
· Temporal: represents the characteristics of a vulnerability that change over time but not among user environments.
· Environmental: represents the characteristics of a vulnerability that are relevant and unique to a particular user's environment.
Who performs the scoring?
Generally, the base and temporal metrics are specified by vulnerability bulletin analysts, security product vendors, or application vendors because they typically have better information about the characteristics of a vulnerability than do users. The environmental metrics, however, are specified by users because they are best able to assess the potential impact of a vulnerability within their own environments
Who is using CVSS?
Many organizations are using CVSS, and each are finding value in different ways. Below are some examples:
- Vulnerability Bulletin Providers: Both non-profit and commercial organizations are publishing CVSS base and temporal scores and vectors in their free vulnerability bulletins. These bulletins offer much information, including the date of discovery, systems affected and links to vendors for patching recommendations.
- Software Application Vendors: Software application vendors are providing CVSS base scores and vectors to their customers. This helps them properly communicate the severity of vulnerabilities in their products and helps their customers effectively manage their IT risk.
- User Organizations: Many private-sector organizations are using CVSS internally to make informed vulnerability management decisions. They use scanners or monitoring technologies to first locate host and application vulnerabilities. They combine this data with CVSS base, temporal and environmental scores to obtain more contextual risk information and remediate those vulnerabilities that pose the greatest risk to their systems.
- Vulnerability Scanning and Management: Vulnerability management organizations scan networks for IT vulnerabilities. They provide CVSS base scores for every vulnerability on each host. User organizations use this critical data stream to more effectively manage their IT infrastructures by reducing outages and protecting against malicious and accidental IT threats.
- Security (Risk) Management: Security Risk Management firms use CVSS scores as input to calculating an organization's risk or threat level. These firms use sophisticated applications that often integrate with an organization's network topology, vulnerability data, and asset database to provide their customers with a more informed perspective of their risk level.
- Researchers: The open framework of CVSS enables researches to perform statistical analysis on vulnerabilities and vulnerability properties.
CVSS consists of 3 groups: Base, Temporal and Environmental. Each group produces a numeric score ranging from 0 to 10, and a Vector, a compressed textual representation that reflects the values used to derive the score. The Base group represents the intrinsic qualities of vulnerability. The Temporal group reflects the characteristics of vulnerability that change over time. The Environmental group represents the characteristics of vulnerability that are unique to any user's environment. CVSS enables IT managers, vulnerability bulletin providers, security vendors, application vendors and researchers to all benefit by adopting this common language of scoring IT vulnerabilities.
Symantec’s Security Content Automation Protocol uses the scoring guidelines published by Common Vulnerability Scoring System (CVSS 2.0) to calculate the risk scores for the assets that failed when evaluated against the SCAP-expressed data stream. You must ensure that you import the CVSS values for the corresponding CVE IDs to calculate the risk scores for the assets.
- The NIST CVSSv2 calculator can be found at http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2