What is the common vulnerability scoring system and how does it work?
Dr. Heather Buker Aug 11, 2022
CVSS is an important metric used in Vulnerability Management. It is a scoring system used in evaluating security vulnerabilities. The CVSS provides a consistent method of representing the severity of vulnerabilities and further helps in prioritising the vulnerabilities. It helps the security teams treat vulnerabilities based on their severity.
CVSS was first introduced in 2005 by the National Infrastructure Advisory Council (NIAC). It is currently owned and managed by FIRST (Forum of Incident Response and Security Teams). Developing CVSS was a joint effort by several groups including Microsoft, IBM Internet Security Systems, Cisco, and Symantec. Since being introduced, several other groups have come forward to help refine the CVSS set of standards.
In 2007, CVSS v2 was released. It improved upon the 2005 version by removing inconsistencies and bringing in more accuracy. The second version helped to bring more clarity to IT vulnerabilities. Next, the CVSS v3 was released in 2015 which further enhanced the scoring system by introducing factors such as privileges required to exploit a vulnerability. The latest version is CVSS v3.1 which was released in 2019.
CVSS is a standardised scoring system that brings consistency to vulnerability evaluation. It is also an open framework that gives complete access to the parameters used by the scoring system. This improves the understanding of how the scoring works and helps security teams holistically interpret the scores.
A CVSS score helps you prioritise vulnerabilities and treat them in the vulnerability management process. It also helps you meet the requirements set out by compliance standards.
A CVSS score can be assigned using the below three metrics.
The base score can alone decide the CVSS score, too. However, for a more accurate CVSS, the other two metrics also should be considered.
The base score is assigned based on the attributes of the vulnerability that do not change with time or environment. It is composed of the following sub-scores.
This sub-score takes into account the below metrics.
The impact sub-score describes the consequences if a vulnerability is exploited. It measures the difference between the status before and after the vulnerability is exploited. It is made up of the below three elements regarding the information.
This metric helps define the scope of the impact of the vulnerability. The scope can be defined as a set of security components under a single security authority or a set of access controls. When the impact lies within these components, it is within the scope. When other components are also impacted, the scope is outside the vulnerable component. When the scope is wider, the severity of the vulnerability is higher.
A temporal score describes whether there are any known codes or patches to exploit a vulnerability. It depends on the below metrics.
The environmental metrics help you refine the base score in the context of your organisational environment. Higher scores are given to the most important and critical assets. The categories of the environmental metrics are as below.
The base score is the foundation of the final CVSS score. It is computed after taking into account the confidentiality, integrity, and availability of the information or system associated with the vulnerability. The base score remains constant.
The temporal score and the environmental metrics modify the base score to arrive at the final CVSS score. However, the base score has the most weightage in the final score.
CVSS scores are on a scale from 0.0 to 10.0 as mentioned earlier. To understand what these scores mean and to have a consistent interpretation of these scores, the below qualitative rating is sometimes used.
0.0 - None
0.1 to 3.9 - Low
4.0 to 6.9 - Medium
7.0 to 8.9 - High
9.0 to 10.0 - Very High/Critical
Publicly available CVSS scores only use the base scores. These scores can tell you how severe a vulnerability is, but they will not tell you how critical it is for your information or systems. Thus, a comprehensive scoring system that also accounts for the temporal scores and the environmental metrics gives you a more accurate CVSS score.
CVSS is not dependent on the vendors and gives a composite score. Hence it is widely used in different assets from operating systems to databases and from web applications to software products.
Also, read about vulnerability management in Understanding Vulnerability Management.