Vulnerability Scoring System

Vulnerability Scoring System – Vulnerability scoring systems and vulnerability databases are used by security analysts to rank information system vulnerabilities, and to provide a composite score of the overall severity and risk associated with identified vulnerabilities.

Vulnerability databases collect and maintain information about various vulneabilities present in the information systems. This section discusses Common Vulnerability Scoring System (CVSS), and vulnerability databases like Common Vulnerabilities and Exposures (CVE), and National Vulnerability Databases (NVD).

Vulnerability Scoring System

Common Vulnerability Scoring System (CVSS)

Source : First Org

CVSS is a published standard that provides an open framework for communicating the characterstics and impacts of IT vulnerabilities. Its quantitative model ensures repeatable accurate measurement while enabling users to see the underlying vulnerability characterstics that were used to generate the scores.

Thus, CVSS is well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulneability impact scores. Two common uses of CVSS are prioritization of vulneability remediation activities and in calculating the severity of vulnerabilities discoverd on one’s systems. The National Vulnerbility Database (NVD) provides CVSS scores for almost all known vulnerabilities.

CVSS provides a way to capture the principal characterstics of a vulnerability, and produce a numerical socre reflecting its severity. The numerical score can then be translated into a qualitative reprentation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.

CVSS assessment consists of three metrics for measuring vulnerabilities:

  • Base Metrics – It represents the inherent qualities of a vulnerability
  • Temporal Metrics : It reprents the features that keep on changing during the lifetime of a vulnerability.
  • Enviornmental Metrics : It represents the vulnerabilities that are based on a particular enviorment or implementaion.

Each metrics sets a score from 1-10. 10 being the most severe. CVSS score is calculated and generated by a vector string, which reprents the numerical score for each group in the form of a block of a text. CVSS calculator is developed to rank the security vulnerbilities and provide the user with overall severity and risk related to the vulnerability.

SeverityBase Score Range
None0.0
Low0.1-3.9
Medium4.0-6.9
High7.0-8.9
Critical9.0-10.0
CVSS v3.0 ratings
SeverityBase Score Range
Low0.0-3.9
Medium4.0-6.9
High7.0-10
CVSS v2.0 ratings

Vulnerability Scoring System

Common Vulnerabilities and Exposures (CVE)

Source : Mitre Org

CVE is a publicly available and free to use list or dictionary of standarized identifiers for common software vulnerabilities and exposure. Use of CVE identifiers, or “CVE IDs” which are assigned by CVE Numbering Authorities (CNAs) from around the world, ensures confidence among parties when used to discuss or share information about a unique software or firmware vulnerability, provides a baseline for tool evaluation, and enables data exchange for cyber security automation.

CVE IDs also provide a baseline for evaluating the coverage of tools and services so that users can determine which tools are most effective and appropriate for their organization’s needs. In short, products and services compatible with CVE provide better coverage, easier interoperability, and enhanced security.

What CVE is :

  • One identifier for one vulnerability or exposure
  • one standardized description for each vulnerability or exposure
  • A dictionary rather that a database
  • How disparate databases and tools can “speak” the same language
  • The way to interoperability and better security coverage
  • A basis for evaluation among services, tools, and databases
  • Free for public to download and use
  • Industry-endorsed via the CVE Numbering Authorities, CVE Board, and Numerious products and services that include CVE.

Vulnerability Scoring System

National Vulnerability Database (NVD)

Source : NVD Nist Org

The NVD is the U.S government repository of standards based vulnerability management data represented using the Security Content Automation (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security related software flaws, misconfigurations, products names, and impact metrics.

The NVD performs analysis on CVE’s that have been published to the CVE Dictionary. NVD staff are tasked with anaylis of CVE’s by aggregating data points from the description, references supplied and any supplemental data that can be found publicly at the time. this analysis results in association impact metrics (Common Vulnerability Scoring System – CVSS), Vulnerability types (Common Weakness Enumeration – CWE), and applicability statements (Common platform Enumeration – CPE) as well as other pertinent metadata. The NVD does not actively perform vulnerability testing, relying on vendors, third party security reasearchers and vulnerability coordinators to provide information that is then used to assign these attributes.

For More Hacking Contene Click Here

Related posts

Leave a Comment