adam's notes

Vulnerability Score Adjustment

  • need to assess the severity of a vulnerability
    • scores are not static
    • subject to change based on several factors
  • vulnerability scores should be appropriately adjusted to more accurately reflect the actual risk posed by the vulnerability
  • scores should be unique to your organization

Factors to Consider

  • Availability of patches
    • can use the CVSS vector to find out how quickly a vendor plans to patch a specific vulnerability
    • If no patches are available
      • then this is a significant factor that will influence the severity of the vulnerability
    • If an effective patch is available
      • organization may shift the score lower, depending on the complexity of the patch
  • Impact of the vulnerability
    • consider:
      • the potential damage caused by successful exploitation
      • the effort required to mitigate it
  • Level of sophistication of threat actors
    • Determines the likelihood that an attacker can successfully exploit a vulnerability
  • Asset value
    • Highly valuable assets may have little tolerance for vulnerabilities
      • may skew scores to high/critical
  • Weaponization
    • likelihood that an attacker will be able to weaponize a vulnerability to achieve their objectives
    • considers factors such as the attack vector (AV) and attack complexity (AC)
      • affect the ease with which an attacker can create a functional exploit
    • attackers can easily share weaponized exploits for others to use
  • Exploitability
    • vulnerability with high exploitability is more likely to be targeted by an attacker
      • requires urgent attention
    • low exploitability may be less urgent as it is less likely to be exploited
    • depends on many factors
      • attack complexity (AC)
      • the availability of tools and techniques to exploit it (weaponization)
      • and security measures in place to defend against the vulnerability
    • low exploitability does not mean that a vulnerability is not severe
    • carefully consider all aspects of a vulnerability, including impact

Example Vulnerability Score Adjustment

Example

Consider a hypothetical remote code execution (RCE) vulnerability with a CVSS score of 10

  • During the risk assessment process, the organization discovers:
    • successfully exploiting the vulnerability requires an attacker to be connected to the same network as the vulnerable application
    • the vulnerable application only runs on a single, fully air-gapped system
  •  This information would be a justifiable reason to lower the score
    • since the computer is not accessible via the network

Graph View

Backlinks