CVSS does not equal risk; CVSS does not equal risk; CVSS does not equal risk. (We should always repeat at least 3 times for an important thing)
Surprisingly nowadays, there are still Cybersecurity people managing vulnerabilities based on CVSS score, and claim that they are doing risk management. (don't laugh, check with your CISO)
Why a CVSS score is not the same as risk?
Because a CVSS score only helps describe the severity of a vulnerability (CVE) from a technical perspective.
Then what is a CVSS score?
CVSS stands for Common Vulnerability Scoring System. There are 2 versions of CVSS: CVSS 2.0 and CVSS 3.1. CVSS has 3 metric groups: Base Score, Temporal Score, and Environment Score. Each metric group has own set of metric names.
There is a CVSS Scoring calculator at Common Vulnerability Scoring System Version 3.1 Calculator (first.org)
Here's a sample of CVSS score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
And it is common for only the CVSS Base Score to be used to prioritize how quickly those Cybersecurity team are responding to a new vulnerability.
(Ask your Cybersecurity team when is the last time they are looking at the Temporal and environment scores)
If CVSS != Risk, then why people using it to manage risk?
IMO, it is not their fault. This is all due to regulatory bodies have built CVSS scores into their compliance schemes, and require remediation of all vulnerabilities above certain Base CVSS score in order to remain compliant. (Yes, I'm talking about PCI-DSS)
So, what's wrong with CVSS score as risk management?
First, CVSS score does not take into account the importance of asset. A same vulnerability should have different priority between a domain controller server and a workstation.
Secondly, not all vulnerability has CVE and CVSS score. There are may vulnerabilities go far beyond CVE/CVSS. If a vulnerability without an assigned CVE/CVSS, does it mean you can skip the remediation?
Third and I think this is most important. Not every vulnerability is exploitable. Instead of remediating all vulnerabilities based on CVSS score, we should focus on those high/critical and exploitable vulnerabilities. Remediation based on CVSS score is not only unfeasible, it is also take up a lot of resource and probably still an unachievable goal. (remember 80/20 rules)
Forth. The CVSS score provides no accounting for other compensating controls, like firewall and antivirus, and thus it doesn't reflect the actual situation.
In summary, CVSS != Risk, simply because of the following reasons.
- Lack of asset priority.
- Only applicable for known vulnerabilities.
- Waste of vulnerability remediation effort.
- Not accounting for those compensating controls.
Unlike CVSS and other static scoring methods, KennaSecurity provides the context required to understand the true level of risk that vulnerabilites pose to an organization, using a risk score. The purpose of the score is to provide Cybersecurity, IT and infrastructure teams with an understanding of the relative urgency of the vulnerability so that everyone can prioritize the remediation efforts of some over others based on real-world exploitability.
References: