Ask the Expert: Why is CVSS not enough?
Kirk Hogan, Chief Innovation Officer at Iceberg Networks and Allan Liska, CSRIT at Recorded Future, sat down to answer some questions that they are hearing about how organizations can prepare for all levels of vulnerability, including how to get the best vulnerability prioritization, knowing where to look for vulnerabilities and in fact, if they are the MOST critical, as well as how to inject best practices of management and tools to help organizations elevate their approach. The following is an edited transcript of the conversation.
Allan Liska: CVSS scores actually do something that’s pretty amazing. They allow you to compare the severity of a vulnerability across multiple platforms, which is great, something that hadn’t happened before CVSS was around. So you never knew, hey, this vulnerability in this Adobe product, how does that compare to this vulnerability in Oracle, for example. It gave us a common language to speak with. What CVSS doesn’t do (and which it’s unfortunately being used as today) is it doesn’t actually express risk. It looks like it expresses risk, right? If you look at it, really, from like a 5000 foot view — for example, it could something like, this is a remote code execution, so clearly, that’s a higher risk than something that’s an elevation of privilege. But there’s actually a lot more that goes into what constitutes the risk of a vulnerability. And that’s really where CVSS falls short. But we’re using CVSS as a risk score, because for a lot of organizations, that’s the only measurement they have for a vulnerability. And so they have to use it as a risk score —and that’s really where we start to get into trouble with CVSS, as our only tooling for, for measuring vulnerability.
Kirk Hogan: Allan, when you talk about CVSS is not a risk score, I actually think maybe it’s being used as the ENTIRE calculation, as opposed to what I think it was originally intended for, as a PART of a calculation. And unfortunately, people get busy so they use what they have, and it does become default to the only way they use to organize their vulnerabilities.
Allan Liska: And I think that’s a really good point. I mean, if you have two vulnerabilities — let’s say you have a vulnerability in Microsoft Exchange, and a vulnerability in squirrel mail. And both of those are have CVSS scores of nine. Generally speaking, the vulnerability in Microsoft Exchange is going to be much more critical, because it’s going to impact more people than squirrel mail will. Now, in your organization, that calculus may change — you may have invested heavily in squirrel mail, and that is what is being used across your entire environment. And so then that becomes a much more critical risk to you. So, I think, having that as an isolated number doesn’t help if you don’t know what your own situational awareness is, what your own risk is, as well as what kind of other protections you have in place.
Kirk Hogan: And I think this is a really salient point we need to drive home — this conversation is not whether CVSS is good or bad. CVSS is very good. But it is a vulnerability snapshot, WITHOUT the context of your organization. How could that score encompass all the nuances of your organization — the score takes into consideration commonality across industries and then provides that severity rating to work with. But the next step is really to consider what is the organizational context.
The post Ask the Expert: Why is CVSS not enough? appeared first on Iceberg Networks.
*** This is a Security Bloggers Network syndicated blog from Risk Intelligence Academy – Iceberg Networks authored by Joanne Kiskis. Read the original post at: https://icebergnetworks.com/ask-the-expert-why-is-cvss-not-enough/?utm_source=rss&utm_medium=rss&utm_campaign=ask-the-expert-why-is-cvss-not-enough
