The general consensus in the industry is that CVSS is not sufficient for effective vulnerability scoring. However, when we conducted a survey recently of IT professionals in the US and UK, we were shocked to discover that so many use it anyway.
If you are in this camp, we believe this is a very dangerous approach and we implore you to read on to understand why. And hopefully we can convert you to adopt a better method!
‍
CVSS, which stands for Common Vulnerability Scoring System, was created as a free and public framework for assessing the severity of security vulnerabilities. It works by scoring each from 0 to 10, with 10 being the most severe and it bases this scoring on a vulnerability’s exploitability, impact and the availability of remediating controls, such as a patch. Â
Because each new scan a company runs can identify hundreds of new vulnerabilities, the CVSS can be seen as a quick and simple way of understanding which need to be prioritised and which can be set aside to tackle at a later date. Â
Let’s now talk about why this is not good enough.
‍
The CVSS is created based on information provided by vulnerability bulletin analysts, security product vendors, application vendors and other users. This broad range of contributors has been established because they are considered to be most capable of understanding the characteristics of a vulnerability and assessing its potential impact. However, this insight is determined based on the “expert’s” experience of the vulnerability within their own environment… An environment that could bear no resemblance whatsoever to your company’s.
To use an example to explain this, let’s say that one of the groups we’ve described above has an office based workforce who all rely on a certain system and network to do their daily tasks. A vulnerability is identified that could corrupt that system so the expert gives it a score of 10. You also use that system but it’s solely used to operate a printer in an office that is now closed for the next six months while you carry out refurbishments. It’s therefore not important but, as a follower of CVSS, you see that it is to be treated as highly critical and respond accordingly, perhaps pushing more pressing risks down the priority list. Â
With some vulnerabilities requiring weeks to fix, can you afford to be prioritising the wrong ones?
Your business is a unique formation of employees, assets, apps, systems and priorities and your vulnerability scoring system needs to reflect that. You need to be able to take into consideration how well each and every vulnerability could be exploited in your environment and how many of your users would be affected. Only then can you effectively prioritise it in terms of criticality to your business.
‍
Every IT security team is facing a skills shortage. This is not just because the industry as a whole has a massive skills gap; but because with so many vulnerabilities being identified, the time required to remediate each one far exceeds the time available. Period.
Your team is probably already under pressure and may even be heading for burnout so what you need is a highly sophisticated way of prioritising that takes into account how many people are in your team, and how experienced or skilled they are so that you can best manage the pressures placed on them.
CVSS doesn’t do this. What it might do is add to the pressure.
So, if it tells you that of the 300 new vulnerabilities identified today, 90% of them are critical, just how are you going to get the team through it all without somebody running for the door?  What you need to be able to do is prioritise that 90% even further but CVSS doesn’t give you the information with which to do that.
We have heard of some cases where teams use CVSS as a starting point and then build quite complex scoring systems on top to factor in many other bits of data before coming to a final score. We believe this just adds to the admin and may end up confusing matters even further. It’s also unnecessary when there are prioritisation platforms available that have the most-up-to-date and advanced threat intelligence built in to do the job for you.
‍
One of the supposed pros of using CVSS is that it can save you time by giving you an instant score for each vulnerability facing your business. The problem with this is that you still have to work through each vulnerability to put them in order and assign remediation responsibilities to members of your team. In other words, the manual triage – which can take hours each day to complete – is still there.
When every minute of potential remediation time is so precious, and there are more accurate ranking systems that provide you with a prioritised list in minutes, surely CVSS isn’t worth continuing with?
Cybersecurity is growing in importance and professionals within the industry hold highly coveted skills and experience. When you think that the impact of a breach can cost millions of pounds, place thousands of consumers’ data in dangerous hands or cause companies to close their doors forever, every cybersecurity professional is doing an incredibly important job.
That is why RankedRight, and so many other companies like us, created state-of-the-art products and platforms to help you do the best work you can. You shouldn’t have to use mediocre systems and methods to protect your company. You deserve better than CVSS.
‍
When it comes to business risk you can’t rely on standardised scoring or secret algorithms, nor can you spend all your time on manual triage.
RankedRight is the triage tool that automatically ranks vulnerabilities based on the rules set by its user, factoring in what is critical to the business, and delegating it to the most appropriate person to resolve. We enrich your scan data with vulnerability intelligence and give you control of how to prioritise your risk.
This means you spend less time on vulnerability administration and more time on keeping your company safe.
Why not sign up for a trial to see how it compares with your current CVSS and manual triage efforts? Our mission is to enhance the way you work. Let us help you do that.
‍