What Is CVSS
The Common Vulnerability Scoring System is a scoring system for vulnerabilities created by FIRST.org. CVSS communicates the severity of vulnerabilities through three top-level metrics: base, temporal, and environmental:
Base Metrics
On the base level, you’ll see a score that ranges from 0-10 (but can be modified by scores in the other categories). Base factors, in a nutshell, represent the characteristics of the vulnerability. Base CVSS scores are readily available, as enterprises can use them as a starting point to prioritize threats.
CVSS can create a pathway to accurate and consistent vulnerability scoring, which is why it's used as the standard of measurement. Right now, CVSSv3.1 is used the most, although not everyone has kind things to say about it (we’ll get to that in a bit).
For now, let’s focus on how CVSS works, starting with its scoring methodology which runs from 0.0 to 10.0 in 0.1 increments.
As a system, the two most prevalent use cases are in 1) calculating and ranking threats based on severity of impact to your system environment, and 2) prioritizing which vulnerabilities to remediate first.
This is where it gets complex. For instance, CVSSv3.1 uses an “Access Vector” to represent vuln severity as a function of how difficult it is to connect to a system in a targeted environment.
Let’s unpack that by considering two situations: one in which many thousands are running that system through a network, and a second in which very few are running a system that requires physical adjacency to exploit. The second situation would score as less severe than the situation reliant on network access.
But there are many variables to consider. For example, the Access Vector variables include network, adjacent, local, and physical. And there are many more levels, which we will explore in future CVSS articles.
The important part to focus on is the permutations of scores. That is, is there a unique score for every possible variable combination? In short, no. There are roughly 101 values to map variable levels to, and more than 2,000 possible variables.
Further, CVSS base metrics comprise three subscores: exploitability, scope, and impact. Within these subscores are several more sub-components, which differ depending on the subscore. For instance, the “impact” score focuses on what outcome could be achieved by a successful exploit, and leverages confidentiality (how much data the attacker has access to), integrity (the ability of the attacker to edit data), and availability (whether it impacts use of systems for a large or small number of users).
Temporal Metrics
There are also “temporal” metrics that can change over time. As such, they’re intended to measure how exploitable a vulnerability is right now and the availability of remediating factors. As such, CVSS temporal metrics contain several sub-levels, including the following:
- Exploit code maturity: how stable/mature is the code used to exploit a particular vulnerability.
- Remediation level: how widely available are patches and other workarounds over time.
- Report confidence: the validity of the vulnerability and its exploit.
Environmental Metrics
With environmental metrics, the score essentially modifies the base group depending on a particular enterprise’s characteristics that may increase or decrease the severity of a particular vulnerability. The sub-levels that make up the environmental group are as follows:
- Modified base metrics: Organizations with compensating or mitigating controls are taken into consideration here. For example, is the vuln within a firewall-protected server? Is it within an unused, unconnected server? Or is it within an internet-connected server with public exposure? The latter is of the most severe consequence relative to the former two.
- Security requirements: These measure an asset’s “business criticality” in terms such as “confidentiality,” “integrity,” and “availability.” Confidentiality refers to whether information can be hidden from unauthorized users. Integrity refers to an ability to protect information from being altered. Availability means how accessible information is to authorized users.
Acknowledging that we’re only scratching the surface of what CVSS is and how it’s used to prioritize exploits, we’d be remiss not to mention how limited the base score is in accounting for real-world exploits and other mitigating factors.
CVSS Criticisms
Common Vulnerability Scoring System criticisms generally comprise two groups, which include criticisms to CVSS as a risk-identifying method and criticisms to CVSS as a scoring system. Let’s get into some specific complaints…
- The Attack Vector is not well-defined. For example, paradoxes arise when you consider the vulnerability state of a PDF, as it shows up as “local” if downloaded and opened in a browser, but shows up as “network” if it immediately opens in a browser.
- The Attack Complexity criteria overlaps with the Temporal score. Changes over time are meant to be isolated by the Temporal score; however, the base score tends to evolve as an exploit moves from hypothesis to the real world. That’s only supposed to happen in the Temporal score.
- The concept of “Scope” is confusing. This is because different equations are used depending on which Scope level is at risk.
- “High” and “low” levels of granularity for Attack Complexity are insufficient. Compare that to CVSSv2, which had three levels of “Access Complexity.”
- CVSSv3.1 consistently scores higher than version 2. This inflates the workload for admins.
These are just among some of the many criticisms of CVSS, but there are others to be found.
Perhaps the most important criticism lies in how scoring systems should make up how you prioritize threats but should not be the only part.
As such, many enterprises misuse CVSS as a ranking of risk. For example, CVSS fails to account for much of the context for vulnerabilities, such as how they can be chained, nor does it assess impact in a way that makes sense for how people might be affected by a vulnerability.
The Future of CVSS
Criticisms or not, dissent is what leads to improvements down the line, which we’ll very likely see in the next iteration of CVSS. However, from what I’ve been able to glean from my readings, CVSSv4 will likely not depart from predecessors in a meaningful way. That is, its core construction will remain in place, and many of its proposed changes mostly comprise the tweaking/adding of variables and their values.
As we head into the future, and as every datapoint and workflow in the world exists on a computer somewhere, securing those systems via cybersecurity solutions will become increasingly vital. In other words, a once-niche industry has blossomed into a burgeoning, $150-plus billion business that constitutes dozens of multi-billion-dollar companies.
To date, this industry has experienced astonishing growth. But it is nothing compared to what will come over the next decade.
The COVID-19 pandemic accelerated the global digital adoption. Such an acceleration sparked a surge in the volume of digital data and workflows in need of security. And in response to that surge, countries and companies alike significantly upped their spending on cybersecurity systems in 2021.
But the conflict in Eastern Europe has added a ton more fuel to the fire.
The reality is that the war between Russia and Ukraine (or, perhaps increasingly more accurately, the rest of the world) has emphasized that modern warfare is cyberwarfare.
And it will only escalate from here.
As it does, so will the need for education around scoring systems, and how to best use them in context with your enterprise’s specific environment. For instance, we use several scoring systems to set a baseline for criticality, but it’s important to consider how that score may change depending on your enterprise.
A lot of vulnerability management companies do not consider such context, and that’s a huge mistake. We’re hopeful that the next iteration of CVSS addresses such limitations... but even so, it will always remain important to a degree to consider specific contexts and adjust how your threats should be prioritized.
