The soon-to-be-released Version 4.0 of the Common Vulnerability Scoring System (CVSS) promises to fix a number of issues with the severity metric for security bugs. But vulnerability experts say that prioritizing patches or measuring exploitability will still be a tough nut to crack.
The Forum of Incident Response and Security Teams (FIRST) released a preview of the next version of the CVSS last week at its annual conference. Version 4 will do away with the vague “temporal” metric, replacing it with the more descriptive “threat” metric and it will add other factors to the base metric calculation. The changes improve the overall usability of CVSS, according to FIRST, which added that companies and organizations can try the metric for grading current vulnerabilities and provide feedback prior to the launch of the general release.
CVSS 4 adds two new factors for companies to use in calculating the base metric: Attack Requirements (AT) and User Interaction (UI), measuring the complexity of the attack and whether an attack requires user interaction, according to a description of the new specification. In addition, a component of the CVSS is the environmental score, which is company-specific and measures the impact a vulnerability can have on their IT environment.
“[T]his latest release marks a significant step forward with added capabilities crucial for teams with the importance of using threat intelligence and environmental metrics for accurate scoring at its core,” FIRST said in a statement on the preview release of CVSS 4.
Patch Prioritization Needs More than CVSS
A better Common Vulnerability Scoring System could give companies a better approach to deciding which vulnerabilities should receive priority for patching, but it shouldn’t be seen as a panacea, say experts.
When it comes to determining exploitability, one of the biggest metrics that organizations use to prioritize patches, companies have a number of tools. They can use the CVSS, the Known Exploited Vulnerability (KEV) list from the US Cybersecurity and Infrastructure Security Agency (CISA), the Exploit Predication Scoring System (EPSS), or other proprietary systems, such as the Coalition Exploit Scoring System. Yet, any approach has to match an organizations’ capabilities and resources, says Sasha Romanosky, a senior policy researcher with RAND Corp., a global policy and research think tank.
“The issue is not so much [which approach], but the strategy one uses that produces the best — that is, prioritized — list for their organization,” says Romanosky, a contributor to both CVSS and EPSS. “We’ve come to learn that CVSS is not a good predictor of threat — exploitation — [on its own, and] that was a tough pill for us, the creators [of] CVSS, to swallow, but it’s the reality.”
Knowing the systems that are part of an organization’s attack surface area, for example, is critical, says Dustin Childs, head of threat awareness for Trend Micro’s Zero Day Initiative (ZDI).
“One thing I always recommend is to be ruthless in your asset discovery and understand which systems are key to your business,” he says. “That will help prioritization.”
CVSS Timing, Complexity Challenges
The new CVSS still faces hurdles when it comes to providing actionable assessments for prioritization. For instance, exploitability metrics also need to be generated quickly, so that organizations have guidance as soon as possible for making decisions over prioritizing patching, says Scott Walsh, a senior security researcher at Coalition, an active-protection cyber-insurance firm.
“When a new CVE is announced, risk managers and defenders may turn to the CVSS or the EPSS for severity and exploitability scores, but these industry-standard systems often take time to score new CVEs — anywhere from a week to up to a month,” he says. “During this time, organizations don’t always know which vulnerabilities have the highest potential to negatively affect their individual digital ecosystems and technologies.”
In addition, the latest CVSS can be complex to decipher, with nearly two dozen attributes used to calculate the base metric — complexity that could hinder security teams’ ability to gauge their risk.
“These variables will require multiple business units to agree upon the impacts and requirements,” he says. “In security, time is of the essence, and quickly responding can be the difference between successfully preventing an attack or being a victim. These variables make the vulnerability evaluation process slow and cumbersome when responding to a new threat.”