Home » Blog » CVSS Threat Modeling Method

CVSS Threat Modeling Method

CVSS (Common Vulnerability Scoring system) is used to rate vulnerabilities by a numeral severity score. It was created in the beginning of the century by NIST (National Institute of Standard and Technology) and maintained by FIRST (Forum of Incident Response and Security Teams), supported by CVSS Special Interest Group. It provides a common standardized scoring system for various cyber and cyber-physical platforms. It is often used along with other threat modeling methods. It offers tools to calculate a numeric value based on a ten-point scale, which helps security specialists decide how to handle one or another vulnerability. The higher this value is, the quicker the reaction should be.

CVSS Metrics

CVSS contains three metric groups, which are explained in the methodâ€™s documentation. Their results are usually published as a combination of a vector (which shows the particular features of the particular factors) and a numeric value calculated based on all factors, using the function given by the standard. Temporal and environmental metrics are optional and used to give a more exact assessment of jeopardy, which a particular vulnerability can cause to a particular structure.

These metric groups are the following:

Base metrics. Include Exploitability (includes attack vectors, attack complexity, required privileges, scope and users interaction) and Impact metrics (referring to confidentiality, integrity and availability impacts). These metrics describe characteristics of vulnerabilities, which do not tend to alter as the time passes and are not environmentally dependent. They also describe the complexity of the vulnerability exploit and the potential harm to data confidentiality, integrity and access.
Temporal metrics. Concern the exploit code maturity, remediation level and confidence of the report. They add some â€˜correctionsâ€™ to the prior assessment, according to mentioned factors and correction availability.
Environmental metrics or modified Base metrics. Cover confidentiality, integrity and availability requirements. With their help security experts can adjust the resulting assessment, taking into account environmental characteristics.

Changes in CVSS standard

CVSS was initially created for independent assessment of separate vulnerabilities, however, in some cases exploiting several vulnerabilities in succession could do much more harm to the system. Thus, the standards were changed and the newer one recommends using CVSS metrics for vulnerability chains, combining exploitation characteristics of one vulnerability with metrics of another.

The list of the most vital changes in CVSS standard includes the following:

Addition of such terms as â€˜vulnerable componentâ€™ (which contains a vulnerability and can be later exploited) and â€˜impacted componentâ€™ (its confidentiality, integrity and availability can be harmed in case of the successful attack
Addition of a new stage required for access (â€˜physical accessâ€™)
A new metric (â€˜necessity of user interactionâ€™) was added
The metric, considering authentication necessity was changed (now it is possible to take into account a necessity of privileged access)
Impact metric scale was changed moved from â€˜quantityâ€™ to â€˜qualityâ€™
Environmental metrics CDP (Collateral damage potential, which calculated potential damage to hardware or other assets, including economic damage from production downtime and foregone gains, according to the quality scale (None/Low/Medium/High)) and TD (Target Distribution, amount of the systems, which can be affected by a vulnerability exploit, in the IT environment) were excluded and replaced by more exact â€˜Corrected base metricsâ€™.
Some recommendations were added to evaluation of vulnerability changes
Quality risk assessment scale was standardized.

The approach shown in the new standard allows us to take into account more factors, influencing the level or harm vulnerabilities can cause, so the new changes may appear in the future. Addition of new metrics, although, has not much influence on the evaluation process mastering. Some of issues were simplified (such as attack complexity, user interaction), others became more complex (such as quality assessment of confidentiality, integrity and availability impact or exploitation limits).

Conclusion

The CVSS method is a good example of vulnerability assessment using a score-based system. One of the features available here is the ability not only to sort but also to rank threats, which can be of significant benefit to a security analysis of a system.

previous post

January 5, 2023

Gray box testing method

‘Gray box’ testing (Translucent testing) is somewhat in between ‘Blackbox’ and ‘White box’, and implies deep knowledge of the tested application’s architecture, design and purpose, which is, however, not necessarily complete or up to date.. Gray box testing may be performed by either a third party or the developers themselves. The idea is to combine the best of Black and White box security testing methods and test both network security and ...

Read more
next post

January 13, 2023

Importance of decentralization in Web3. Centralization vs Decentralization. Comparison.

Centralization and decentralization are two antipodes, which are, however, both popular among the users and the developers in the web3 environment. They are not usually adopted exclusively, both have their strong and weak points and, in their way, both may be vulnerable to possible intrusion or other issues. What is the difference between centralized and decentralized systems and why users and developers make choices in favor of this or ...

Read more