NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge

How to evaluate vulnerability severity scores

There’s a quote attributed to Fabio Massacci, professor of information systems and security at the University of Trento in Italy that is the perfect analogy for IT security vulnerability severity scores. “Prioritizing patching based on CVSS scores is like triaging patients in an emergency room by just their temperature.” Robert Lemos posted an article on Dark Reading that argues that the Common Vulnerability Scoring System (CVSS) score doesn’t necessarily correlate with whether the vulnerability is being used in attacks. Vulnerability rating is the topic of a common dialog that we have with our customers because it is so important to the remediation process.

What is CVSS?

The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. There are official repositories of IT security vulnerability information on the web. Some readers may be familiar with the National Vulnerability Database (NVD) and Exploit Database mentioned in Mr. Lemos’ article. Another common resource is CVE® which is a dictionary of publicly known information security vulnerabilities and exposures.

Why is vulnerability scoring so important?

The theory is that the more severe the vulnerability rating, the more at risk your organization is to attack. Some vulnerabilities are obvious. If there is a known exploit, the likelihood of an attack is much higher. In other cases, it often depends on both the technical risk as well as the business importance of the asset on which the vulnerability resides.

Unified VRM has a patented technology called the Intelligent Algorithm which helps determine overall risk scores. We combine the CVSS information with business-critical asset groups that are deemed to be more risky, for a more accurate risk rating. For example, the same vulnerability that is found on the external network might have a different risk rating on the internal network. We deliver specific risk scores for specific infrastructure and applications, as well as an overall score based on the average in your IT environment.

Magic? It might seem that way. Back to the medical analogy quoted at the beginning of this post… we prefer to think of it as modern medicine for your IT environment.  And we would love the opportunity to show you how it works with a personalized demo.

Schedule a Product Demo Today!

See how NopSec's end-to-end Cyber Exposure Management platform can organize your security chaos.