When a new software vulnerability is reported, the infosec team's first job is to determine the risk that the vulnerability poses to their organization. For this, they typically turn to CVSS scores. It's common for the CVSS Base Score to be used to prioritize how quickly they need to respond to the new vulnerability versus the myriad of other vulnerabilities that are open on their systems. For many organizations, this approach represents the foundation of prioritization in their vulnerability management programs.
The problem is that this approach is fundamentally flawed.
The enterprise needs to measure risk, and they have been led to believe that CVSS scores can do that for them. The problem is that CVSS scores don't measure risk. They measure the technical severity of a vulnerability.
Part of the problem is that CVSS scores have been marketed and promoted as a risk prioritization mechanism. The Wikipedia entry for Common Vulnerability Scoring System states, "CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat." The word "risk" is never used directly, but the notion that CVSS can be used to "prioritize responses," implies that CVSS is helping to measure risk.
Additionally, several regulatory bodies have built CVSS scores into their compliance schemes, going so far as to require remediation of all vulnerabilities above a certain Base CVSS score in order to remain compliant.
For example, PCI-DSS specifies that "With a few exceptions, any vulnerability with a CVSS base score of 4.0 or higher will result in a non-compliant scan report, and all such vulnerabilities must be remediated by the scan customer." This is accompanied by a very clear graphic on what fails and what does not:
According to the chart, an organization with any medium or high severity vulnerabilities will fail the PCI DSS vulnerability scan. Since only around 5% of vulnerabilities are ever exploited in the wild, potentially 95% of this effort is wasted - effort that could be going towards solving other, more pressing information security issues.
Even the US Department of Homeland Security requires that agencies leverage Base CVSS scores as a mechanism for risk prioritization.
So, what is wrong with using CVSS scores as a risk prioritization mechanism?
- Only a very small fraction of high and critical vulnerabilities are ever exploited in the wild. Given the large number of such vulnerabilities, huge amounts of effort are wasted on remediating vulnerabilities that will never pose a risk to the organization because they will never be exploited.
- Many organizations have compensating controls in place that would mitigate the ability for an attacker to exploit a vulnerability. CVSS provides no mechanism for accounting for those compensating controls.
- CVSS does not take into account the importance of a given asset. It's entirely possible that a medium vulnerability on a mission critical server should be remediated before a critical vulnerability on the guest check-in kiosk in the lobby of your corporate headquarters.
- CVSS scores only look at known vulnerabilities in software. There are many other issues that represent risk to your organization that also must be accounted for. Vulnerabilities go far beyond CVEs.
- The score you're relying on is probably wrong. CVSS scores rely on the judgment of human assessors, and regardless of training, those assessors are frequently off by several points. Several points on a 10 point scale can mean the difference between being a "low" severity vulnerability and a "high" severity vulnerability.
There is a better approach. New tools on the market take the human factor out of the equation, and take into account all elements of risk, to rank and prioritize security issues facing your organization based on risk to your business. The end result is far less wasted effort and dramatic improvements in your organization's security posture.