How to evaluate vulnerability severity scores
- Jul 16, 2013
- Guest Author
There’s a quote attributed to Fabio Massacci, professor of information systems and security at the University of Trento in Italy that is the perfect analogy for IT security vulnerability severity scores. “Prioritizing patching based on CVSS scores is like triaging patients in an emergency room by just their temperature.” Robert Lemos posted an article on Dark Reading that argues that the Common Vulnerability Scoring System (CVSS) score doesn’t necessarily correlate with whether the vulnerability is being used in attacks. Vulnerability rating is the topic of a common dialog that we have with our customers because it is so important to the remediation process.
The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. There are official repositories of IT security vulnerability information on the web. Some readers may be familiar with the National Vulnerability Database (NVD) and Exploit Database mentioned in Mr. Lemos’ article. Another common resource is CVE® which is a dictionary of publicly known information security vulnerabilities and exposures.
The theory is that the more severe the vulnerability rating, the more at risk your organization is to attack. Some vulnerabilities are obvious. If there is a known exploit, the likelihood of an attack is much higher. In other cases, it often depends on both the technical risk as well as the business importance of the asset on which the vulnerability resides.
Unified VRM has a patented technology called the Intelligent Algorithm which helps determine overall risk scores. We combine the CVSS information with business-critical asset groups that are deemed to be more risky, for a more accurate risk rating. For example, the same vulnerability that is found on the external network might have a different risk rating on the internal network. We deliver specific risk scores for specific infrastructure and applications, as well as an overall score based on the average in your IT environment.
Magic? It might seem that way. Back to the medical analogy quoted at the beginning of this post… we prefer to think of it as modern medicine for your IT environment. And we would love the opportunity to show you how it works with a personalized demo.