Understanding Vulnerability Scoring
Threat actors make use of vulnerabilities for their attacks. By exploiting vulnerabilities, attackers can gain access to devices, networks and systems. Vulnerabilities enable attackers to steal corporate information and sell sensitive information. They can also eavesdrop to confidential communication.
Vulnerabilities can be created because of software error or as forced injections like OS command injections or SQL injection attacks. Other common vulnerability attacks are buffer and integer overflow, which involves the attacker altering the code. More and more vulnerabilities are discovered every day.
In 2019, thousands of vulnerabilities were disclosed. Because of the high number of vulnerabilities, discovering and patching every single vulnerability can be a challenging task. The Common Vulnerability Scoring System (CVSS) was created to assist security experts and developers to assess the threat levels of vulnerabilities and prioritize mitigation.
What is a Software Vulnerability?
A software vulnerability is a flaw in the codebase that hackers can exploit. This includes vulnerabilities that are created by bugs or those created by malicious changes to code, which are normally done with code or malware injections.
Software vulnerabilities can offer attackers the opportunity to infiltrate systems, abuse resources and steal data. This is why it’s important for software development and testing teams to identify vulnerabilities before software is released. Security professionals need to also create patches when vulnerabilities are discovered after release.
What Is the Common Vulnerability Scoring System (CVSS)?
CVSS is a set of open standards for scoring the severity of vulnerabilities. It was created by MITRE and is used by a wide range of security experts and vulnerability researchers. The scale is between zero to ten with ten representing the most critical vulnerability level.
The main purpose of the Common Vulnerability Scoring System (CVSS) is to create a uniform method of identifying and addressing the threat associated with a particular vulnerability. This enables security communities to prioritize and collaborate on addressing vulnerabilities.
How CVSS Scoring Works
When CVSS scores are allocated, the score is determined by a combination of elements. These components include base score, temporal score and environmental metrics. Only the base score is needed to create a CVSS score. However, it’s ideal to use all measures for the best accuracy.
The base score is a representation of the essential characteristics of the vulnerability. This characteristic does not depend on time or environment. It includes three subscores which are exploitability, impact and scope.
This score depends on a combination of the following metrics. These metrics describe how easily a vulnerability can be exploited.
Attack Vector (AV): This describes how attackers can access a vulnerability. Lower values are given for vulnerabilities that need proximity to a system while higher score is given for vulnerabilities that can be remotely exploited.
Attack Complexity (AC): This describes the necessary conditions for exploitation. Lower scores are given when additional information is needed from an attacker while higher scores are given when vulnerabilities can be repeatedly or easily exploited.
Privileges Required (PR): This describes the level of privilege that’s needed to exploit a vulnerability. Lower scores are given when higher-level privileges are needed while higher scores are given when minimal or low privileges are needed.
User Interaction (UI): This describes whether exploitation is dependent on the actions of a user. For instance, the installation of an application. This metric is binary, either user interaction is needed or not.
The impact score represents the effects of an exploited vulnerability. It includes escalation privileges, increased access, and negative outcomes and measures the change from pre-exploit to post-exploit. The impact subscore involved three elements, which are:
Confidentiality (C): This defines the impact of the exploit on the loss of confidential data. Scores include none, low and high.
Integrity (I): This defines the impact of exploitation on the truthfulness and trustworthiness of data. Scores include none, low (no control over impact or limited modification of data) and high (direct consequence or total loss).
Availability (A): This defines the impact of the exploit on the availability of the affected parts. Scores include none, low and high.
Scope is a metric that describes whether or not a vulnerability influences features outside of its security scope. A security scope is a bubble of components that fall under a set of access controls or single security authority. When attackers can exploit vulnerabilities to manipulate components outside the scope of the vulnerable component, the severity of a vulnerability increases.
This score represents the existence of known exploit methods, updates, or patches and confidence in the vulnerability description. It depends on:
Exploit Code Maturity (E): This describes the availability of attack techniques and tools to exploit the vulnerability. Scores from low to high include proof of concept, unproven, functional, high, and not defined.
Remediation Level (RL): This describes the level of negotiation or remediation available to correct a vulnerability. Score from low to high includes workaround, official fix, temporary fix, unavailable, and not defined.
Report Confidence (RC): This describes the degree of certainty of the accuracy of the vulnerability report. Scores from low to high include unknown, confirmed, reasonable, and not defined.
Environmental metrics enable you to personalize CVSS scores based on how critical a vulnerable component is to your company. These metrics are improved versions of the metric used to calculate the base score. The modifications are made based on a feature’s placement in your practices, systems, and security configurations.
Since there are many vulnerabilities, evaluating risk levels can be a major challenge. Is this vulnerability a substantial threat, or is there any other vulnerability that needs to be patched quickly?
The CVSS system makes use of evaluations like base score, temporal score and environmental metrics to offer a standard risk level for each vulnerability. This standard is used by the community of experts when evaluating the risk levels of vulnerabilities. CVSS v3.1 is the latest update of the CVSS standards, which can be used when prioritizing mitigation.
Photo by dylan nolte on Unsplash