CVSS Threat Modeling Method
CVSS (Common Vulnerability Scoring system) is used to rate vulnerabilities by a numeral severity score. It was created in the beginning of the century by NIST (National Institute of Standard and Technology) and maintained by FIRST (Forum of Incident Response and Security Teams), supported by CVSS Special Interest Group. It provides a common standardized scoring system for various cyber and cyber-physical platforms. It is often used along with other threat modeling methods. It offers tools to calculate a numeric value based on a ten-point scale, which helps security specialists decide how to handle one or another vulnerability. The higher this value is, the quicker the reaction should be.
CVSS contains three metric groups, which are explained in the methodâs documentation. Their results are usually published as a combination of a vector (which shows the particular features of the particular factors) and a numeric value calculated based on all factors, using the function given by the standard. Temporal and environmental metrics are optional and used to give a more exact assessment of jeopardy, which a particular vulnerability can cause to a particular structure.
These metric groups are the following:
- Base metrics. Include Exploitability (includes attack vectors, attack complexity, required privileges, scope and users interaction) and Impact metrics (referring to confidentiality, integrity and availability impacts). These metrics describe characteristics of vulnerabilities, which do not tend to alter as the time passes and are not environmentally dependent. They also describe the complexity of the vulnerability exploit and the potential harm to data confidentiality, integrity and access.
- Temporal metrics. Concern the exploit code maturity, remediation level and confidence of the report. They add some âcorrectionsâ to the prior assessment, according to mentioned factors and correction availability.
- Environmental metrics or modified Base metrics. Cover confidentiality, integrity and availability requirements. With their help security experts can adjust the resulting assessment, taking into account environmental characteristics.
Changes in CVSS standard
CVSS was initially created for independent assessment of separate vulnerabilities, however, in some cases exploiting several vulnerabilities in succession could do much more harm to the system. Thus, the standards were changed and the newer one recommends using CVSS metrics for vulnerability chains, combining exploitation characteristics of one vulnerability with metrics of another.
The list of the most vital changes in CVSS standard includes the following:
- Addition of such terms as âvulnerable componentâ (which contains a vulnerability and can be later exploited) and âimpacted componentâ (its confidentiality, integrity and availability can be harmed in case of the successful attack
- Addition of a new stage required for access (âphysical accessâ)
- A new metric (ânecessity of user interactionâ) was added
- The metric, considering authentication necessity was changed (now it is possible to take into account a necessity of privileged access)
- Impact metric scale was changed moved from âquantityâ to âqualityâ
- Environmental metrics CDP (Collateral damage potential, which calculated potential damage to hardware or other assets, including economic damage from production downtime and foregone gains, according to the quality scale (None/Low/Medium/High)) and TD (Target Distribution, amount of the systems, which can be affected by a vulnerability exploit, in the IT environment) were excluded and replaced by more exact âCorrected base metricsâ.
- Some recommendations were added to evaluation of vulnerability changes
- Quality risk assessment scale was standardized.
The approach shown in the new standard allows us to take into account more factors, influencing the level or harm vulnerabilities can cause, so the new changes may appear in the future. Addition of new metrics, although, has not much influence on the evaluation process mastering. Some of issues were simplified (such as attack complexity, user interaction), others became more complex (such as quality assessment of confidentiality, integrity and availability impact or exploitation limits).
The CVSS method is a good example of vulnerability assessment using a score-based system. One of the features available here is the ability not only to sort but also to rank threats, which can be of significant benefit to a security analysis of a system.