Cisco Security Expert

Previous Article Next Article

Common Vulnerability Scoring System (CVSS) Explained

By jheary on Fri, 10/26/07 - 12:32am.

Share
Tweet This
Email this page
Comment
Print

The Common Vulnerability Scoring System, or CVSS for short, is the first and only open framework for scoring the risk associated with vulnerabilities. CVSS is designed to rank information system vulnerabilities and provide an end user with a composite score representing the overall severity and risk the vulnerability presents. CVSS was created by The National Infrastructure Advisory Council (NIAC). Over the years it has become a very widely adopted scoring system and is used by such heavy hitters as the Department of Homeland Security, CERT, Cisco, Union Pacific, and Symantec to name but a few. CVSS is currently maintained by the Forum of Incident Response and Security Teams (FIRST), http://www.first.org, and was a combined effort involving many companies, including:

CERT/CC
Cisco Systems
eBay
Internet Security Systems
Microsoft
DHS/MITRE
Qualys
Symantec

Cisco uses the CVSS system for its IPS signatures and IntelliShield reports. See last weeks blog on more info on IntelliShield.
What does a score mean?
A CVSS score is made up of three possible metric groups. Each group receives a score from 0 to 10, with 10 being the most severe. The three groups are:

Base Group – Mandatory Score by vendor or analyst
Temporal Group – Optional score by vendor or analyst
Environmental Group – Optional score by end-user

Each group is made up of multiple separate categories. The sum of these categories make up the 0-10 final value for the group.
The base group is made up of six categories as shown in the figure below:

The Temporal group is made up of only three values, as shown in the figure below:

And finally, the end-user controlled Environmental group is made up of five categories, as shown in the figure below:

For detailed info on the possible values in each category see either the CVSS calculator here.
or the FIRST CVSS guide here:
http://www.first.org/cvss/cvss-guide.html

Let’s take a look at an example CVSS score using a Cisco IntelliShield report.

This Sun Java vulnerability has a CVSS Base score of 9.3 and a Temporal score of 6.9. If you click on the CVSS calculator link then you’re given the break down of the different categories within each base score type. Here is the calculator screen shot showing the base score categories for this vulnerability.

Using this CVSS calculator the end-user can enter parameters for the environmental group. This allows the end-user to receive a 0-10 score of the risk posed by a particular vulnerability in their specific environment.
Well that’s a brief overview of the CVSS scoring system. For more info I highly suggest you read the CVSS guide by the FIRST group I mentioned previously. It is the definitely guide to CVSS. So my questions for you are; do you pay any attention to CVSS, do you use it, what do you think of it?

The opinions and information presented here are my personal views not those of my employeer.

Tags

Welcome, visitor. Register Log in

About Cisco Security Expert

Jamey Heary, CCIE No. 7680, is the author of the Cisco NAC Appliance: Enforcing Host Security with Clean Access book by Cisco Press. Jamey is a seasoned security technologist with over 15 years in the IT field with 10 years focused on IT security. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey is currently a Security Consulting Systems Engineer with Cisco, though the opinions expressed here are his own. Jamey is a member of Network World's Cisco Subnet blog community.

Contact him.