Skip to main content

CVSS: Measuring the Severity of an IT Security Vulnerability

The Common Vulnerability Scoring System (aka CVSS score) provides a numerical (0-10) representation of the severity of an information security vulnerability. Created and maintained by the Forum of Incident Response and Security Teams (FIRST)—a global forum of over 500 organizations comprised of governmental, commercial, and educational incident response organizations—CVSS scores are commonly used by security teams to help them accurately assess vulnerabilities and prioritize their management and remediation.

Scores range from 0.0 up to 10.0, which is a meaningful metric for security analysts and IT leaders. However, the numerical score can lack needed context for less technical stakeholders. It can be helpful, then, to assign values to a range of scores, as that can more easily demonstrate severity of the vulnerability.

The current version of CVSS (v3), maps the numerical score to five different severity ratings:

  • None – 0.0
  • Low – 0.1 – 3.9
  • Medium – 4.0 – 6.9
  • High 7.0 – 8.9
  • Critical – 9.0 – 10.0

CVSS Base Metrics – Foundation

Public rankings of severity, such as those listed in NIST’s National Vulnerability Database (NVD) refer exclusively to Base CVSS scores. Base metrics look at the qualities of a vulnerability that remain the same across all user environments and do not change over time. They consider the following three factors: exploitability, scope, and impact.

  • Exploitability considers the attack vector (the level of access required to exploit a vulnerability), attack complexity (the factors required to exploit the vulnerability that are outside of the attacker’s control), the user privileges required to exploit the vulnerability, and whether the attacker must recruit a user—willingly or unwittingly—to execute the exploit.
  • Scope considers whether a vulnerability can spread across the attack surface—gaining access to the operating system through a software application, for example—and how easily it can do so.
  • Impact focuses on the severity of damage that an attack can cause by exploiting the vulnerability. Exploits that result in the attacker gaining access to confidential data, that permit the attacker to alter or change data, or render the exploited system unavailable to users will all increase this score metric.

The easy availability of Base CVSS scores provides a seductive starting point for vulnerability prioritization, but it is of limited use as it does not account for real-world exploits, the availability of patches, or other environmental or mitigating controls that your organization has put into place.

In other words, Base CVSS Scores tell you if the vulnerability is dangerous but not if it is dangerous to your company. To understand that the user must turn to a more comprehensive CVSS Score— one that considers Temporal and Environmental metrics.

Temporal and Environment Metrics — Toward a More Comprehensive Score

Temporal

Temporal metrics examine the qualities of a vulnerability that change over time. They measure the existing risk of exploit, as well as whether there are tools available, such as patches, to help resolve the vulnerability. Temporal metrics consider the following factors: exploit code maturity, remediation level, and report confidence.

  • Exploit code maturity determines whether attackers have a method to exploit an existing vulnerability and how much time the code has had to develop, evolve and increase stability.
  • Remediation level examines how many patches, temporary fixes, and workarounds exist for users to resolve and repair the vulnerability.
  • Report confidence determines whether there is enough evidence to confirm that the vulnerability exists and can be exploited by an attacker.

Environmental

Environmental metrics consider the characteristics of an exploit and the steps taken to resolve it within a specific security environment. They modify the Base CVSS Score based on how critical the assets vulnerable to exploit might be. The more mission critical or top secret the asset, the higher the modified score.

These metrics also consider the mitigations an organization has put into place, such as air-gapping a server (physically isolating a vulnerable device, software or system from unsecured networks) or preventing external network connections.

More is More in CVSS Scores

The amount—and complexity—of security vulnerabilities facing organizations continues to grow. To truly begin a proactive cybersecurity program, your vulnerability management needs to consider not just the publicly available Base score metrics, but the Temporal and Environmental metrics as well.

To do that effectively, you’ll need a security team capable of understanding your assets, their criticality, the controls put in place to protect their vulnerabilities, and what current exploits exist for attackers to leverage.

This can be a daunting task for many organizations, which is why a Managed Risk® provider can be the most effective solution for organizations looking to truly take a proactive approach to cybersecurity.

Arctic Wolf® Managed Risk

Built on the industry’s only cloud-native platform Arctic Wolf Platform’s Managed Risk solution employs our 24x7 Concierge Security® Team, who take a holistic approach to digital risk. We start with the basic task of discovering risks in your software, assets, and accounts. Then we find risk in those items by both looking for vulnerabilities and benchmarking against configuration best practices. Once we have that perspective, we advise you on how to prioritize your remediation actions to ensure that you are continually hardening your security posture.

Learn More about Managed Risk

Request a Demo

 

About the Author

Sule Tatar is a Product Marketing Manager at Arctic Wolf, where she does research on security trends and brings groundbreaking cybersecurity products and services to market. She has extensive experience in the B2B cybersecurity space and holds a bachelor's degree in computer engineering and an MBA.

Profile Photo of Sule Tatar