CVSS scores are not enough for modern cybersecurity defense
Relying on CVSS scores to estimate the risk to security may be placing individuals and the enterprise at greater risk than believed, researchers say.
The Common Vulnerability Scoring System (CVSS) is a way to document and measure a software vulnerability's risk factors. CVSS has undergone a number of evolutions with the latest being CVSS V3 -- which includes some contextual data -- but many businesses still rely on the system's base score, which only includes a severity rating based on the technical details of the flaw.
However, without additional data, IT staff may not be addressing a vulnerability's true scope and risk, and therefore, patching priorities may be affected.
After evaluating over a million unique vulnerabilities and more than 76,000 vulnerabilities contained in the National Vulnerability Database over a 20-year-period, researchers from NopSec concluded that CVSS scores are simply "not enough" to evaluate today's threats properly, and the enterprise must take contexual information into account to prevent future data breaches and successful cyberattacks based on software flaws.
According to NopSec's 2016 State of Vulnerability Risk Management report, it now takes contextual data to truly evaluate risks in relation to software vulnerabilities, networks and the enterprise as a whole.
By including information such as social media trends, data breaches, research and the ways in which a business may be affected, security professionals can use CVSS scores amongst "better risk evaluation and prioritization."
"Vulnerability management and mitigation can be more effective and prioritized on vulnerabilities used by malicious attackers in the wild where critical assets are exposed," said FireEye Labs' Director, Geok Meng Ong.
NopSec says that CVSS scores by themselves are a "weak foundation" for risk-driven automatic services used in the enterprise to keep systems up-to-date, as the factors the score is based on -- Authentication, Access Vector, Access Complexity, Confidentiality Impact, Availability Impact, and Integrity Impact -- do not necessarily represent the true risk of a vulnerability.
Enterprise players will often act to patch vulnerabilities with CVSS scores reaching nine or ten, the highest ranks, but "only a small subset of vulnerabilities are associated with known and publicly documented attacks," according to the firm.
As a result, patch systems are flawed and what is roughly 25 percent of vulnerabilities due for patches which are being actively exploited in the wild may not be resolved as a priority.
"In effect, the CVSS score blurs the distinction between practical and theoretical risk," the report says. "Relying exclusively on the CVSS score leads to a higher volume of 'critical' vulnerabilities to sort through -- and less ability to effectively prioritize the highest risk vulnerabilities."
In addition, the report, developed in tandem with FireEye, suggests that social media is now a "top platform" for cybersecurity. The microblogging platform is used to promote vulnerability disclosures, proof-of-concept (PoC) evidence and increase awareness of the latest threat discoveries.
NopSec says that messages concerning vulnerabilities associated with malware which is in the wild are tweeted a total of nine times more than security flaws with just a public exploit -- as well as up to 18 times more than "all other vulnerabilities."
The researchers also say that cyberattackers now care less about the difficulty of pulling off an attack using a vulnerability and far more about the potential reach of a flaw -- and exploit kits using these vulnerabilities are becoming more sophisticated than ever, with Microsoft, Adobe and Java leading the underground markets.
"Relying only on the CVSS score to drive prioritization for applying patches needs to change. Organizations need to align the patching methodology to the infrastructure risk, business risk and change risk," said Arnold Felberbaum, Strategic Advisor to NopSec.
"CVSS needs to be complemented with industry intelligence, social media and measures already operating. Organizations need to recognize that it is not about 'if' a patch needs to be applied but when. Patching consumes resources and automation can reduce the resource drain."