Ask the Expert: Why is CVSS not enough?

Cyber Risk

Kirk Hogan, Chief Innovation Officer at Iceberg Networks and Allan Liska, CSRIT at Recorded Future, sat down to answer some questions that they are hearing about how organizations can prepare for all levels of vulnerability, including how to get the best vulnerability prioritization, knowing where to look for vulnerabilities and in fact, if they are the MOST critical, as well as how to inject best practices of management and tools to help organizations elevate their approach. The following is an edited transcript of the conversation.

Allan Liska: CVSS scores actually do something that’s pretty amazing. They allow you to compare the severity of a vulnerability across multiple platforms, which is great, something that hadn’t happened before CVSS was around. So you never knew, hey, this vulnerability in this Adobe product, how does that compare to this vulnerability in Oracle, for example. It gave us a common language to speak with. What CVSS doesn’t do (and which it’s unfortunately being used as today) is it doesn’t actually express risk. It looks like it expresses risk, right? If you look at it, really, from like a 5000 foot view — for example, it could something like, this is a remote code execution, so clearly, that’s a higher risk than something that’s an elevation of privilege. But there’s actually a lot more that goes into what constitutes the risk of a vulnerability. And that’s really where CVSS falls short. But we’re using CVSS as a risk score, because for a lot of organizations, that’s the only measurement they have for a vulnerability. And so they have to use it as a risk score —and that’s really where we start to get into trouble with CVSS, as our only tooling for, for measuring vulnerability.

Kirk Hogan: Allan, when you talk about CVSS is not a risk score, I actually think maybe it’s being used as the ENTIRE calculation, as opposed to what I think it was originally intended for, as a PART of a calculation. And unfortunately, people get busy so they use what they have, and it does become default to the only way they use to organize their vulnerabilities.

Allan Liska: And I think that’s a really good point. I mean, if you have two vulnerabilities — let’s say you have a vulnerability in Microsoft Exchange, and a vulnerability in squirrel mail. And both of those are have CVSS scores of nine. Generally speaking, the vulnerability in Microsoft Exchange is going to be much more critical, because it’s going to impact more people than squirrel mail will. Now, in your organization, that calculus may change — you may have invested heavily in squirrel mail, and that is what is being used across your entire environment. And so then that becomes a much more critical risk to you. So, I think, having that as an isolated number doesn’t help if you don’t know what your own situational awareness is, what your own risk is, as well as what kind of other protections you have in place.

Kirk Hogan: And I think this is a really salient point we need to drive home — this conversation is not whether CVSS is good or bad. CVSS is very good. But it is a vulnerability snapshot, WITHOUT the context of your organization. How could that score encompass all the nuances of your organization — the score takes into consideration commonality across industries and then provides that severity rating to work with. But the next step is really to consider what is the organizational context.

See all the Ask the Expert videos in this series:

Ask the Expert Part 1: Why CVSS isn’t enough?
Ask the Expert Part 2: How can I make my vulnerability solution more responsive?
Ask the Expert Part 3: How do you level up your vulnerability management?
Ask the Expert Part 4: What is the difference between vulnerability management and attack surface management?

UPCOMING WEBINAR Sweeten up your approach: Vulnerabilities and knowing exactly where to look. (30 minutes)

Start your GRC journey.
We’ll be your trusted partner.

Start your journey