Defining CVSS Scores
Common Vulnerability Scoring System (CVSS) scores are industry standard measures of the severity of a software vulnerability. They are an integral part of many vulnerability assessment programs, and used to compare one vulnerability to another, and as part of a decision making process to decide what to patch or fix, and when.
There are three metric groups that make up every CVSS score – Base, Temporal, and Environmental. Every component has several subcomponents.
Base Metrics are static attributes inherent in each vulnerability. These metrics do not vary based on actions taken by adversaries, vendors, or enterprises. These metrics are the primary factor in public CVSS scores, such as those listed in the National Vulnerability Database, which is maintained by the National Institute of Standards and Technology.
Temporal Metrics are, well, temporal. These metrics change over time, primarily as a result of activity by both adversaries and software vendors. These metrics apply across all enterprises equally. Adversaries creating, distributing, and using exploit code are a major factor in Temporal Metrics. Vendors creating and distributing, as well as enterprises applying, software patches are the other major factor in Temporal Metrics.
Environmental Metrics, the focus of this article, apply to the specific environment in which a vulnerability exists. These metrics are, by definition, specific to each enterprise.
CVSS Environmental Metrics
Environmental Metrics are essentially modifiers to the Base, or static, metric group. These are designed to account for the aspects of an enterprise that might increase or decrease the net severity of a vulnerability. Environmental metrics are made up of Modified Base Metrics and of Security Requirements.
Modified Base Metrics
If an organization has compensating controls or mitigation measures in place, those efforts are meant to reduce the ability or likelihood that a vulnerability will be exploited. For example, a server protected by a firewall, or an unused server that has been shutoff, are both of lower likelihood of breach than a server that is publicly exposed to the internet.
Modifying base metrics is as simple as it sounds. The enterprise makes a qualitative judgement on the impact to each of the base metric factors, and reduces, or increases, the corresponding score as a result NIST’s CVSS Scoring Calculator provides a quick and easy way to demonstrate the impact of modifying these attributes.
Security Requirements are an indicator of business criticality of an asset, measured in terms of Confidentiality, Integrity, and Availability, the elements of the well-known CIA Triad. For review:
- Confidentiality is the ability to hide information from unauthorized users.
- Integrity is the ability to protect information from being changed from the original.
- Availability is the accessibility of the information to authorized users as needed.
If any one or more of these factors is more important than expected, the enterprise would raise the score for that corresponding area.
Security Requirements are assigned one of four values.
- Not Defined (X) – this value has no impact on the overall Environmental Score and is typically reserved for situations where there is insufficient information to assign a value.
- High (H) – Impact resulting from loss of Confidentiality, Integrity, or Availability would be catastrophic to the enterprise.
- Medium (M) – Impact resulting from loss of Confidentiality, Integrity, or Availability would have a serious adverse impact on the enterprise.
- Low (L) – Impact resulting from loss of Confidentiality, Integrity, or Availability would have a limited or isolated impact on the enterprise.
Impact of Environmental Metrics
Here is an example of Environmental Metrics in action. We start with a vulnerability with a very high CVSS score, as indicated by the combination of Base and Temporal Metrics:
Then, without changing any of those metrics, we apply very aggressive environmental controls to mitigate the vulnerability substantially:
You can see that neither the Base Score, nor the Temporal Score change at all, yet the Overall CVSS Score was reduced from a staggering 9.9 (Critical) to a 3.2 (Low).
This is an extreme example, but nonetheless illustrative of the need to include Environmental Factors with your Vulnerability Assessment and Vulnerability Management programs, in addition to the widely published Base, and sometimes published Temporal, scores.
Operationalizing CVSS Scores
As discussed previously, published CVSS scores are typically comprised of Base Metrics only. This is a useful starting point, but really only answers the question, “Can this do damage?”, when you really need to answer, “Can this do damage to my company?” In order to ensure that you’re not being misled by CVSS scores, you need to ensure that you’re accounting for Temporal and Environmental factors as well. This is key to successfully operationalizing CVSS scores in your vulnerability management program.