The Common Vulnerability Scoring System (CVSS) is increasingly indispensable in the security of organizations, providing a way to capture the key characteristics of a vulnerability and produce a numerical score reflecting its severity.
If you’re interested in learning more, in this article we’ll talk about what CVSS is, what it’s for and how this score is calculated.
What is CVSS?
The Common Vulnerability Scoring System or CVSS is a scoring system that allows the severity level of a security flaw to be numerically defined. This tells researchers how damaging it is to exploit the vulnerability.
The numerical score can be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.
For an attacker, high vulnerability scores mean an opportunity to seriously damage a target. To an ethical hacker, the base score indicates how alarming the characteristics of a vulnerability are.
How is the CVSS calculated?
In understanding what CVSS is, a scale ranging from 0 to 10 is used to determine the impact of a vulnerability. Severity is considered low if the score obtained after applying the CVSS formula is between 0.0 and 3.9. The impact is medium if the result is between 4.0 and 6.9. It is considered high when the score falls within the range 7.0 to 10.0.
To calculate a score associated with a vulnerability, CVSS uses three groups of metrics: base, time and environment, each of which is in turn made up of a set of other metrics, as we will see below.
1. Base metrics
Baseline metrics represent the characteristics intrinsic to the vulnerability, which are constant over time and across the user’s environment.
They include access vector, access complexity and authentication metrics, so they define how a vulnerability can be accessed and whether the conditions for exploitation are met.
The severity of the three metrics measures how a vulnerability, if exploited, directly impacts IT assets. The impacts are determined independently, such as the degree of loss of confidentiality, integrity and availability, since a vulnerability could cause a partial loss of integrity and availability, but may not affect confidentiality.
2. Temporary metrics
Represent the characteristics of a vulnerability that may change over time, but are constant in the user’s environment.
Since the risks posed by a vulnerability may change over time, three influencing factors are taken into account: the confirmation of the technical details of the vulnerability (exploitability), the level of remediation, and the confidence report, referring to the availability of code or techniques that allow exploitation.
These metrics are optional and include a value that does not affect the evaluation when a user believes that the particular metric does not exist and wants to omit it.
3. Environment metrics
These metrics represent the characteristics of a vulnerability that are relevant and unique to a particular user’s environment.
They are defined because of the different environments that can denote a large influence on the risk posed by a vulnerability to an organization. This group of metrics focuses on the characteristics of a vulnerability associated with the user’s environment. They include potential collateral damage, target distribution, and confidentiality, integrity and availability requirements.
Like the temporal metrics, they are optional and each has a value with no effect on the assessment, which is used when a user considers that the particular metric does not exist and omits it.
Benefits of using CVSS
The use of the CVSS method has multiple benefits, mainly, standardized vulnerability scores are used, which allows the creation of consistent criteria for vulnerability management.
In addition, by using an open framework it is possible to know the individual characteristics of the vulnerability, which are used to obtain the score. Finally, when the score is calculated, the vulnerability becomes representative of the risk in an organization, so users know the importance of a vulnerability in relation to others.
The CVSS is an open framework for communicating the characteristics and severity of software vulnerabilities.
You have already learned what CVSS is, how it is calculated and what this assessment is used for in computer security. Now, it’s time for you to find vulnerabilities and improve cybersecurity.
Now is the time!