Leveraging Vulnerability Scoring in Prioritizing Remediation

The average organization has numerous types of equipment from different vendors. Along with the equipment, businesses also utilize multiple software applications from various developers throughout the organization. This diversity provides many helpful opportunities, but also creates a higher probability for vulnerability. Risk managers are able to stay aware of new vulnerabilities through vendor systems or services such as SANS @RISK, the National Vulnerability Database (NVD), the Open Source Vulnerability Database (OSVDB), or Bugtraq, but how do they prioritize the vulnerabilities. Certainly, risk managers need to know which vulnerabilities with the highest risk can be resolved before lesser vulnerabilities? Understanding these vulnerabilities and their impact relevant to other vulnerabilities is quite a challenge.

To overcome this challenge, several scoring systems have been developed. These include the US-CERT (United States Computer Emergency Readiness Team) Vulnerability Notes Database and the Common Vulnerability Scoring System (CVSS). This article provides an overview of both systems and how risk managers can use them to prioritize remediation.

US-CERT Vulnerability Notes Database

Severe vulnerabilities are published in the US-CERT Technical Alerts. One clear problem arises, however -what determines the severity of vulnerability? A severe vulnerability that affects a rare application may be of lower priority to most users; however, those who do use it will want the information about its possible vulnerabilities. The Vulnerability Notes Database allows for vulnerabilities of all severities to be published. This open book policy is because the severity of vulnerabilities is difficult to determine. For example, the few users of the rare application can use the system to find the severe vulnerability that would not be published in the Technical Alerts.

Vendor information is available in addition to the vulnerability notes. For each vendor, this includes a summary of the vendor’s vulnerability status, rated as “Affected”, “Not Affected”, or “Unknown”. This may also include a statement from the vendor that includes solutions to the problem, such as software patches and potential permanent fixes.

The database allows for browsing and searching for vulnerabilities. The notes include the impact of the vulnerability, solutions, and ways to work around it, as well as a list of vendors affected by the vulnerability. Searches can be customized to determine vulnerabilities that impact an organization and their level of severity. Thus this database can be very helpful for risk managers.

Common Vulnerability Scoring System (CVSS)

While the US-CERT Vulnerability Notes Database publishes all vulnerabilities of all severities, it is not the only way risk managers can prioritize their vulnerabilities. There is another system, which companies can apply to their equipment and software. This second method is called the Common Vulnerability Scoring System or CVSS.

CVSS ranks vulnerabilities using three categories of metrics; base, temporal, and environmental.

Base characteristics

Base characteristics define the fundamental characteristic of a vulnerability and include the following:

  • Impact to confidentiality, integrity, and availability
  • Access vector – the route through which a vulnerability is exploited such as local, adjacent to the network, or network.
  • Access Complexity
  • Authentication

Temporal metric

Temporal metrics are those that change over time. The three temporal metrics are exploitability, remediation level, and report confidence.

  • Exploitability measures the current state of exploit technique availability. Higher availability means there are a higher number of potential attackers.
  • Remediation levels include unavailable, workaround, temporary fix, and official fix. As a vulnerability’s remediation level increases, its severity decreases.
  • Report confidence measures the confidence of the vulnerability’s existence and its technical details. Values include confirmed, uncorroborated, and unconfirmed. Vulnerabilities that are confirmed are considered more severe.

Environmental Metrics

The last category of metrics used by CVSS is environmental metrics. These consist of metrics related to where the vulnerability exists. The metrics are as follows:

  • Collateral damage potential
  • Target distribution – the percentage of potentially affected systems
  • Confidentiality, availability, and integrity requirements

The CVSS system, unlike the US-CERT database, provides different metrics and measures to categorize different vulnerabilities. This system provides a scoring schedule, which quantifies the different vulnerabilities. Thus allowing risk managers in more niche markets and specific businesses isolate particular vulnerabilities important to them.

Organizations usually have large numbers of programs running, in addition to programs, there is a multitude of equipment required to operate a successful business. However, these cogs in the corporation’s engine do not always run smoothly. Sometimes vulnerabilities can crop up and can be potentially harmful to the piece of equipment or the larger company. Therefore, risk managers must keep track of all of these vulnerabilities to keep the business running efficiently. Following all of these vulnerabilities can prove to be difficult. Risk managers keep on top of new vulnerabilities through various outlets. For example, SANS @RISK, the National Vulnerability Database (NVD), the Open Source Vulnerability Database (OSVDB), or Bugtraq are used in this capacity. Furthermore, more strains occur in the department of ranking vulnerabilities based on severity. This job can be tough, but there are databases, which can aid in dealing with more critical vulnerabilities and ahead of less severe problems. The first is called US-CERT Vulnerability Notes Database and the second is the Common Vulnerability Scoring System (CVSS).

The US-CERT Vulnerability Notes Database utilizes a broader approach. It chronicles many of the known vulnerabilities and outlines the severity, without giving too much of a ranking. This movement away from hard rankings by the database is due to the difficulty of applying a single blanket score for all businesses because of the diversity of businesses. Meanwhile, the CVSS utilizes standardized measurements to rank vulnerabilities. There are three categories, which the CVSS use to evaluate vulnerabilities first is base, second temporal, and finally environmental. Within these, there are several sub categories all of which meticulously sort out various vulnerabilities into a ranking system.

Both the US-CERT Vulnerability Notes Database and the CVSS allow for a type of ranking of vulnerability severity. By using these systems, organizations can determine which vulnerabilities are most likely to affect their applications in the most severe way. It follows that these organizations will then be able to prioritize by remediating the most critical vulnerabilities likely to affect their systems first.