If you’ve been working in information technology (IT) or cybersecurity for some time, you’re likely familiar with vulnerability management, a core part of protecting organizational systems and data — but do you know how vulnerabilities are scored? If not, this article will introduce you to the fundamentals, and why it’s important to understand them.
Before we get too deep into scoring, let’s discuss databases. Vulnerabilities are cataloged in databases. No database is more popular than the National Vulnerability Database (NVD). NVD, which has origins as far back as the 1990s, functions as a U.S. government repository of standards-based vulnerability management data. It informs vulnerability management efforts for thousands of organizations around the world. NVD is also referenced by nearly all leading security-vendor tools.
While NVD is the most widely used vulnerability database, it is far from the only one. Others, including Sonatype’s OSS Index, the Open-Source Vulnerability (OSV) Database, and Global Security Database (GSD) are quickly gaining adoption as well.
Now that we know some of the primary vulnerability databases, let’s look at how the industry scores vulnerabilities.
Common Vulnerability Scoring System
The Common Vulnerability Scoring System (CVSS) is the primary way vulnerabilities are scored across the software ecosystem. CVSS is an open framework used to communicate characteristics related to a vulnerability’s severity. It uses three metric groups: Base, Temporal, and Environment — although most organizations simply use the Base scoring metrics. NVD utilizes CVSS vulnerability severity ratings to represent vulnerabilities. Based on the latest CVSS version 3.0 specification, vulnerabilities range in severity from None, Low, Medium, High, to Critical. Score-wise, the range goes from 0.0 (None) to 9.0-10.0 (Critical).
Despite CVSS’s widespread adoption, it is nevertheless the target of some significant critiques of its scoring framework and its implementation within the industry. Industry leaders such as exposure management company Tenable have pointed out that more than 50 percent of vulnerabilities scored as High or Critical are never actually exploited. This is problematic given that most organizations prioritize vulnerability management efforts around the CVSS score and severity. Doing so means these organizations could be putting significant time into addressing vulnerabilities that never pose an exploitation risk.
Exploit Prediction Scoring System
As CVSS critiques have grown, the Exploit Prediction Scoring System (EPSS) has emerged. EPSS, much like CVSS, is another open effort, but rather than scoring severity, it aims to estimate the likelihood (probability) that a software vulnerability gets exploited in the wild. This difference helps organizations maximize their limited resources and time by allowing them to focus on vulnerabilities that aren’t just the most severe or highest scored via CVSS but on those that pose the greatest risk of exploitation.
Some have advocated for combining CVSS and EPSS to maximize the impact and return on investment when it comes to organizational efforts and cybersecurity effectiveness. By combining the two efforts, businesses can more accurately drive down organizational risk.
Utilizing accurate data is critical as cybersecurity faces demand to “speak the language of the business.” Speaking the language of business requires quantifying risk, understanding vulnerabilities and their associated risk objectively, and then communicating the risk in relatable terms.
As mentioned in earlier articles this month, cybersecurity is maturing to move away from subjective qualitative risk assessments and communication and towards more objective, quantified risk assessment frameworks. This move will improve the quality of the information that cybersecurity leaders communicate to their business peers as well as make it more digestible and actionable.
Join us on October 27, 2022 for Acceleration Economy’s Data Modernization Digital Battleground, a digital event in which four leading cloud vendors answer questions on key considerations for updating data strategies and technology. Register for free here.
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: