Word Notes 11.7.23
Ep 161 | 11.7.23

Common Vulnerability Scoring System (CVSS) (noun)


Rick Howard: The word is: CVSS.

Rick Howard: Spelled: C for common, V for vulnerability, S for scoring, and S for system. 

Rick Howard: Definition: A qualitative public framework for rating the severity of security vulnerabilities in software. 

Rick Howard: Example sentence: A CVSS score is derived from three vectors, base, temporal, and environmental, and range from 0 to 10, with 0 representing the least severe, and 10 representing the most severe..

Rick Howard: Origin and context: In the early 1990s, the infosec community didn’t have a common language around vulnerabilities and exploits to compare notes with peers and pundits. According to Tripwire, back then, every software vendor had their proprietary method for tracking vulnerabilities in their own products. Security professionals had no way to know if vendor A’s vulnerability was the same as vendor B’s, or if they were two separate issues. We were kind of on our own. That started to change in 1999, when MITRE's David Mann and Steven Christey wrote the white paper “Towards a Common Enumeration of Vulnerabilities.”

Rick Howard: That same year, NIST's Computer Security Division created the Internet Categorization of Attacks Toolkit, ICAT, the first integrated exploitation and vulnerability list. Mann and Christey proposed creating a Common Vulnerabilities and Exposures list, CVE, that the entire community could use, and the idea quickly gained traction. The very first CVE list contained 321 vulnerabilities, chosen after careful deliberation and consideration of duplicates. By 2002, the CVE list contained more than 2, 000 software vulnerabilities and NIST recommended that the U. S. government use only software that used CVE identifiers. By 2005, ICAT had morphed into the National Vulnerability Database, NVD, designed to enrich the CVE list with risk and impact scoring using the Common Vulnerability Scoring System, CVSS, introduced by the U. S. National Infrastructure Advisory Council, NIAC, that same year. 

Rick Howard: According to TechTarget, CVSS version 2 was released in 2007 and was seen as a significant improvement over the original version. It had fewer inconsistencies, provided additional granularity, and more accurately reflected the true properties of IT vulnerabilities. CVSS version 3.0, released in June 2015, tweaked the scoring algorithms to more accurately reflect the reality of vulnerabilities encountered in the world. CVSS version 3.1, released in June 2019, focused on clarifying and improving the standard. Today the standard is maintained by the form of incident response teams, first, through the CVSS Special Interest Group. As of this writing, CVSS version 4.0 is available for public preview. 

Rick Howard: Nerd reference: Back in 2020. Peter Silva, a security evangelist for F5, explained the basics of CVSS. 

Peter Silva: CVSS was introduced in 2005 as an open framework for communicating the characteristics and severity of software vulnerabilities. It consists of three metric groups. Base, temporal and environmental. The base group represents the intrinsic qualities of a vulnerability that are consistent over time and across user environments. The temporal group reflects the characteristics of a vulnerability that change over time. And the environmental group Represents the characteristics of a vulnerability that are unique to a user's environment. The big benefit of CVSS is that it's a standardized vendor and platform agnostic open framework that is transparent about how it derives a score. 

Rick Howard: Word Notes is written and edited by me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. We're privileged that N2K and podcasts like WordNotes are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, people. We make you smarter about your team, while making your team smarter. Learn more at N2K.com and thanks for listening.