The Common Vulnerability Scoring System - Magic Numbers or Snake Oil?

In association with heise online

How can I use the CVSS?

Given the above, how can you currently use CVSS in the real world? In its most basic application (ignoring for now the questionable Environmental parameters), the published Base or Temporal scores for the vulnerabilities in hand at any given moment should simply be sorted into descending numerical order and addressed as swiftly as possible from the top of the list downwards, whatever the actual range or absolute values of the scores. Treat it as a relative rather than an absolute ranking system and get on with the job of patching on a continuous basis. Of course the list and its order really have to be updated regularly as new bugs are announced. This is a completely different approach from the widely advocated calendar-interval regime: "patch Tuesday", "medium severity = 1 to 4 weeks", which is of course in reality patch team workload management not corporate exposure minimisation (but of course we all really know that, even if we take the easy way out in practice).

Whichever of the two you choose, it is important to be consistent in always using either the Base or Temporal score in such a simple application, and the Temporal score is to be preferred as it partially reflects whether a fix is available to be implemented. Despite the familiar tendency to bracket ratings into such categories, "critical", "medium", "low", this is not useful given the extra detail offered by the numerical scoring. How do you prioritise among a dozen simultaneous "criticals"? The quite granular numerical scoring method makes it much less likely that a significant number of vulnerabilities on your current list will have exactly the same ranking. Plus, it is a transparent system. You can often see how the score was arrived at, so you might learn something of use for the future.

At a more sophisticated level, the relationship between the Base and Temporal scores can be used to extract further guidance. If the two scores are essentially identical (within 5 per cent or so) this generally indicates that you are more exposed than if the Temporal score is lower than the Base score by ,say, 10 to 30 per cent. It means that a viable exploit exists and limited (or no) remediation is available. A bigger difference in the scores indicates that exploits are to some degree unproven or imperfect and/or that a fix at some level is available. So diverging Base and Temporal scores are a flag that the vulnerability should be reviewed to find out the new state of play, and the vulnerability may have to be moved up or down your priority list. This obviously depends on your sources of intelligence updating the Temporal scores, but supposing the information is available, somewhat better prioritisation can result.

The Environmental score, although at present primitively implemented, can be used to some extent but the existing parameters will tend to return scores on the low side in non-homogeneous environments where individual systems are business critical or where the landscape is not dominated by a small number of platforms or products. It should only be applied by newbies where too many of the Base (or Temporal) scores in the sorted list have the same value and are therefore not effectively ranked, and then only with caution, as local homework will be needed to validate the results.

Better results can be made of the Environmental score if you are prepared to redefine its input parameters to suit your business context. Selection of the appropriate collateral damage parameter must include the cost to the business of a successful exploit, not just the cost of technical damage and remediation. Choice of target distribution parameter must include the business significance of the breached asset: it may be the only server in a couple of hundred that is running a given system, but if that system is business critical the extent of the exposure is much greater than 0.5 per cent. However, unless you already have considerable detailed business intelligence at your fingertips it is probably dangerous at present to rely on the Environmental score, given its large effect on the final result. This is where we most look to the CVSS developers to improve the system. For now, environmental considerations will for the most part probably remain "seat of the pants". However, supposing revision of the Environment score calculation gets due attention, it promises to become a very powerful tool.

The way forward for the CVSS

So the CVSS has considerable potential as a simple and effective method for vulnerability ranking, but it needs further work to make it more user-friendly and to render the Environmental score more robust and meaningful. The Environmental score parameters need to be redefined to include business impact, which is something that should ideally be done by the CVSS developers rather than ad hoc by individual end users. It is likely that the Environmental score calculation will have to become more sophisticated before its true worth emerges. But from the functional perspective probably the most significant omission is that all the approved calculators currently expect the whole calculation process to be performed in a single operation by selection of the complete set of natural language parameters. None of them allow the end user simply to enter a published numerical Base or Temporal score from which to derive a local Environmental score. At this time the calculation that is most important to the end user must be done "by hand" unless an advisory happens to list the parameters used to derive the published score.

Overall, the CVSS is a relatively untried system but one which, by virtue of its transparency, potentially contains less snake oil than the closed ranking systems we are used to. We must hope that it will evolve over time into a robust universal standard: something that is much needed in this field.