The Problem with CVSS Scores and What It Means for Vulnerability Management Programs
The number of vulnerabilities uncovered daily has long exceeded what security teams can possibly address. The key to success in vulnerability management no longer lies in patching everything, but rather in making judgment calls and deciding which vulnerabilities to address and which to ignore.
Faced with this onslaught, CISOs and Vulnerability Managers need to pick their battles carefully. To do that, teams in charge of deploying patches need tools to prioritize their work. One such tool is CVSS scoring.
CVSS Scoring and the Old Vulnerability Management Paradigm
CVSS scoring was conceived as a way to streamline information exchange about vulnerabilities between the industry stakeholders. By assigning each vulnerability a severity score from 1 to 10, CVSS attempts to establish an objective measure of the severity of any given vulnerability. It takes into account a range of criteria such as access vector, attack complexity, authentication requirements and impact, among others.
As a tool for information exchange, CVSS scoring is extremely valuable. However, the main issue is that the CVSS scores are often used for far more than they were originally intended. In some organizations, vulnerability management amounts to nothing more than scanning for vulnerabilities and prioritizing remediation efforts by CVSS scores. This approach is deeply problematic for several reasons.
The Shortcomings of CVSS Scoring as a Risk-Management Tool
1. CVSS score is not a measure of actual risk
The main issue is that the vulnerability itself, when taken out of context, should not be equated to risk. In and of themselves, CVSS scores reflect technical exploitability. However, it is important to understand that technical exploitability and active exploitation are not the same.
Quite often, vulnerabilities with high scores may not be the ones that end up being exploited in the wild. For one, a high CVSS score doesn’t automatically suggest that a vulnerability is easy to exploit or that the attack vector required to carry out an attack is accessible. So a high CVSS score does not at all translate into the likelihood that a particular vulnerability will end up being exploited.
For example, while many CISOs were frantically patching their systems against the “catastrophic” Meltdown and Spectre vulnerabilities, those security flaws had not been actively exploited at the time. Blinded by the high CVSS scores, organizations and vendors rushed to release untested patches often with detrimental consequences.
In times of widespread panic, it is essential to remember that the tech industry tends to declare particular vulnerabilities “critical” due to their extreme technical severity, but the CVSS score doesn’t reflect the potential impact, nor the likelihood of exploitation.
Failing to address circumstances such as context and timing, CVSS ends up being nothing more than a theoretical conjecture, not grounded in realities facing your particular organization.
2. Not taking your Environment into Account
Industry expert Ben Rothke points out a crucial flaw in CVSS scoring: “While CVSS can be a powerful indicator, it – like all generic values – is generalized. For the best efficacy, it needs to be customized to the specific entity using it. But the reality is that most organizations don’t do that.”
The fact of the matter is that vulnerabilities, even the ones scored as critical, can be completely unexploitable within your particular organization or may require an attack vector that simply doesn’t exist in your environment.
Nor does a high CVSS score mean that potential attackers would consider the vulnerability worthwhile to go after. Threat actors exploit vulnerabilities with particular goals in mind, not simply because a vulnerability exists. Would-be-attackers prioritize vulnerabilities that help them reach their goals, so the vulnerabilities with high CVSS scores are not necessarily the ones that end up being exploited.
The first priority should always be to protect your critical assets, such as sensitive data or applications that are core to your business. Context here is king as even vulnerabilities that are not ranked as critical or high can be exploited to a devastating impact. So simply relying on CVSS score without assessing the criticality of vulnerabilities within the particular context can leave your organization exposed.
3. The importance of threat intelligence
CVSS scores do not reflect the true complexity of the vulnerabilities – the situation on the ground, the threat actors and exploits that exist in the wild, or the likelihood for exploitation of any particular vulnerability.
To correctly prioritize vulnerabilities, security teams need to consider any given vulnerability within the broader context at a particular point in time. That means that a vulnerability management program worth its salt must take into account multiple sources of threat intelligence, instead of relying on any one metric.
The ultimate goal of a Vulnerability Management program is not to patch vulnerabilities with the highest CVSS scores, but rather to identify and resolve the most critical threats facing the organization.
Relying on CVSS for vulnerability management is likely to cause security teams to squander resources on patch cycles that focus on low-impact, low-probability issues and prioritize technically severe vulnerabilities that don’t actually pose the biggest threat to the environment.
Cybersecurity teams need to stop relying solely on CVSS scores and find robust tools that take into account their particular environment and the complexities of the real world.
The Vulcan platform creates a full view of the exposures in your particular environment by integrating all vulnerability detection systems, IT and DevOps tools that are used throughout your organization. By prioritizing the vulnerabilities in your environment: your infrastructure, the applications running on top of it, and the code that compiles them, the Vulcan platform helps you concentrate on the risks that are most critical to your business and should be remediated first. Then, through automation, the Vulcan platform enables security teams to complete the cyber hygiene lifecycle by remediating the vulnerabilities in scale, removing the threats from the environment.
Interested in seeing how it works? Request a demo with a member of the Vulcan Cyber team.