Increasing digital connectivity and opportunities mean that security requirements for IT systems are becoming more and more complex. The standardized Common Vulnerability Scoring System (CVSS) helps companies assess the severity of IT vulnerabilities. We show you how the CVSS scoring system works and explain why the risk posed by vulnerabilities should be assessed individually for each company.
CVSS: The Common Vulnerability Scoring System
The Common Vulnerability Scoring System can be used to measure how vulnerable an IT system is based on certain factors. It was developed in 2005 by a working group of the US Department of Homeland Security, the National Infrastructure Advisory Council (NIAC). Since then, the CVSS has been continuously developed and improved in cooperation with large companies and organizations from the IT sector and has established itself as a fixed standard.
This is how the CVSS works
Using a uniform scoring system, ascending from “none”, “low”, “medium” to “high” and “critical” vulnerability, companies can use the Common Vulnerability Scoring System to evaluate security gaps in their IT landscape and assign them to the various categories. Defined benchmarks and criteria are used to determine not only the classification but also the severity of the vulnerabilities – depending on the area in which a vulnerability is identified, the CVSS serves as a standardized reference value and must be applied to the circumstances accordingly. In addition to the severity, the CVSS can also be used to measure the assumed probability that a cyber attack will occur as a result of these vulnerabilities. If all factors are included in the calculation, the CVSS can also be used to determine the potential amount of damage. This gives companies a precise overview of risk factors in their IT systems, allows them to compare the respective vulnerabilities and then derive security measures. In this way, optimization potential is efficiently exploited.
CVE vs. CVSS: Naming and rating
While the CVSS can be used to assess risk factors in the IT sector, the Common Vulnerabilities and Exposure (CVE) is used to clearly name known vulnerabilities and security gaps in a system or product. The CVE system uses a fixed pattern to ensure that there is no duplication or confusion when naming the threats. The name is composed of the abbreviation CVE, the year in which the problem is discovered, and a sequential number to precisely identify the vulnerability. For example, the abbreviation of the recently disclosed critical Log4j vulnerability is CVE-2021-44228.
Each reported vulnerability is assigned a unique identification number in order to educate users about potential risks and catalog the vulnerability. However, the number of vulnerabilities says nothing about the quality of the products, especially since large manufacturers usually have a large number of offerings and thus the probability of vulnerabilities also increases. CVSS and CVE are thus not directly related to each other and can be used independently.
Calculation of the CVSS score
In order to determine how serious the degree of a vulnerability is and how high the CVSS score is accordingly, various criteria must be taken into account in the calculation. The score basically consists of three main categories: Base Score, Temporal Score and Environmental Score. The groups are made up of different values, such as integrity or availability. The categories can influence each other and have to be adjusted depending on the business environment and temporal development. There are predefined choices for each indicator, which in the overall picture result in a score between 0 and 10, where 0 describes no risk and 10 a high risk.
1. CVSS Base Score: Calculate hazard potential
The Base Score describes how dangerous an IT security vulnerability is and how high the potential is for it to be exploited for cyberattacks. The calculation is based on the essential technical characteristics of a vulnerability: The exploitability metrics, for example, describe the conditions under which an attack can occur. The impact metrics, on the other hand, can be used to determine the extent of damage. The scope metric is used to determine whether an attack has an impact on components of other systems. The base score is determined once for each vulnerability – usually by the person who discovers the vulnerability, the manufacturer of the product or IT specialists.
2. CVSS Temporal Score: Identifying vulnerabilities
The Temporal Score summarizes temporal changes that can have an influence on the exposure to certain vulnerabilities. The Temporal Score can increase, for example, if the Exploitability Code Maturity is used to record when a previously only described vulnerability actually occurs. Manufacturers use Report Confidence to officially confirm this vulnerability and name it using a unique CVE ID. In order to positively influence the Temporal Score, many manufacturers also provide a fix for the problem and thus lower the Remediation Level, one of the three values of the Temporal Score.
3. CVSS Enviromental Score: Increase IT Security
With the Environmental Score, the values can be specifically adapted to your own IT architecture and system environment. To do this, it is important to analyze in advance which systems are urgently required for trouble-free operation. These are taken into account as relevant factors in the calculation. The IT protection goals already discussed in the Base Score are used for this purpose: What measures are necessary and already in use to increase the company’s own IT security and protect confidential information? Depending on the extent to which the protection goals could be violated by a cyber attack, the CVSS score is increased or can be subsequently lowered.
Correctly assess CVSS evaluation and risks
Once the CVSS scores have been used to assess the company’s own security level, they can be added up to an overall score. Many companies consider the results listed as the most important basis for action for their own IT risk management. However, the dangers they pose should be assessed individually for each company. In practice, it is seen time and again that a vulnerability in the medium risk category (criticality), for example, can be especially risky for a particular company and should therefore be given priority.
Specialized service providers such as DGC provide the expertise required for this assessment and support with tailored security consulting as well as comprehensive attack monitoring and defense. With the help of the cyberscan.io® vulnerability scanner, the security experts in the so-called Cyber Defense Operations Center (CDOC) monitor various sources on a daily basis and indicate which vulnerabilities need to be addressed immediately and what priority should be given to further vulnerability reports. In this way, companies always have an eye on the performance of their systems, identify risks at an early stage and can proactively protect their data against threats from the network.
If you have any questions on this topic or would like to learn more about our services and solutions, please do not hesitate to contact us via our contact form.