Cybersecurity as a Business Enabler

Why Effective Cybersecurity Depends on Understanding How Vulnerability Scores Work

Chris HughesBy Updated:3 Mins Read
vulnerability scores
Acceleration Economy Cybersecurity

If you’ve been working in information technology (IT) or cybersecurity for some time, you’re likely familiar with vulnerability management, a core part of protecting organizational systems and data — but do you know how vulnerabilities are scored? If not, this article will introduce you to the fundamentals, and why it’s important to understand them.

Vulnerability Databases

Before we get too deep into scoring, let’s discuss databases. Vulnerabilities are cataloged in databases. No database is more popular than the National Vulnerability Database (NVD). NVD, which has origins as far back as the 1990s, functions as a U.S. government repository of standards-based vulnerability management data. It informs vulnerability management efforts for thousands of organizations around the world. NVD is also referenced by nearly all leading security-vendor tools.

While NVD is the most widely used vulnerability database, it is far from the only one. Others, including Sonatype’s OSS Index, the Open-Source Vulnerability (OSV) Database, and Global Security Database (GSD) are quickly gaining adoption as well.

Vulnerability Scoring

Now that we know some of the primary vulnerability databases, let’s look at how the industry scores vulnerabilities.

Common Vulnerability Scoring System

The Common Vulnerability Scoring System (CVSS) is the primary way vulnerabilities are scored across the software ecosystem. CVSS is an open framework used to communicate characteristics related to a vulnerability’s severity. It uses three metric groups: Base, Temporal, and Environment — although most organizations simply use the Base scoring metrics. NVD utilizes CVSS vulnerability severity ratings to represent vulnerabilities. Based on the latest CVSS version 3.0 specification, vulnerabilities range in severity from None, Low, Medium, High, to Critical. Score-wise, the range goes from 0.0 (None) to 9.0-10.0 (Critical).

Despite CVSS’s widespread adoption, it is nevertheless the target of some significant critiques of its scoring framework and its implementation within the industry. Industry leaders such as exposure management company Tenable have pointed out that more than 50 percent of vulnerabilities scored as High or Critical are never actually exploited. This is problematic given that most organizations prioritize vulnerability management efforts around the CVSS score and severity. Doing so means these organizations could be putting significant time into addressing vulnerabilities that never pose an exploitation risk.

Exploit Prediction Scoring System

As CVSS critiques have grown, the Exploit Prediction Scoring System (EPSS) has emerged. EPSS, much like CVSS, is another open effort, but rather than scoring severity, it aims to estimate the likelihood (probability) that a software vulnerability gets exploited in the wild. This difference helps organizations maximize their limited resources and time by allowing them to focus on vulnerabilities that aren’t just the most severe or highest scored via CVSS but on those that pose the greatest risk of exploitation.

Some have advocated for combining CVSS and EPSS to maximize the impact and return on investment when it comes to organizational efforts and cybersecurity effectiveness. By combining the two efforts, businesses can more accurately drive down organizational risk.

Final Thoughts

Utilizing accurate data is critical as cybersecurity faces demand to “speak the language of the business.” Speaking the language of business requires quantifying risk, understanding vulnerabilities and their associated risk objectively, and then communicating the risk in relatable terms.

As mentioned in earlier articles this month, cybersecurity is maturing to move away from subjective qualitative risk assessments and communication and towards more objective, quantified risk assessment frameworks. This move will improve the quality of the information that cybersecurity leaders communicate to their business peers as well as make it more digestible and actionable.

Join us on October 27, 2022 for Acceleration Economy’s Data Modernization Digital Battleground, a digital event in which four leading cloud vendors answer questions on key considerations for updating data strategies and technology. Register for free here.

Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel:

Acceleration Economy Cybersecurity

Share.
Analystuser

Chris Hughes

CISO & Co-Founder
Aquia

Areas of Expertise
  • Cybersecurity

Chris Hughes is an Acceleration Economy Analyst focusing on Cybersecurity. Chris currently serves as the Co-Founder and CISO of Aquia. Chris has nearly 20 years of IT/Cybersecurity experience. This ranges from active duty time with the U.S. Air Force, a Civil Servant with the U.S. Navy and General Services Administration (GSA)/FedRAMP as well as time as a consultant in the private sector. In addition, he also is an Adjunct Professor for M.S. Cybersecurity programs at Capitol Technology University and University of Maryland Global Campus. Chris also participates in industry Working Groups such as the Cloud Security Alliances Incident Response Working Group and serves as the Membership Chair for Cloud Security Alliance D.C. Chris also co-hosts the Resilient Cyber Podcast. Chris holds various industry certifications such as the CISSP/CCSP from ISC2 as holding both the AWS and Azure security certifications. He regularly consults with IT and Cybersecurity leaders from various industries to assist their organizations with their Cloud migration journeys while keeping Security a core component of that transformation.

  Contact Chris Hughes ...

Related Posts

Add A Comment

Comments are closed.