Businesses encounter all kinds of risk, and risk is often paired with opportunity. In fact, running a for profit business is primarily about taking risks for the right opportunities.
All organizations today have to deal with IT Risk as well, and we call the discipline that has emerged to manage IT Risk “Information Security.”
What is Vulnerability Risk
Even within Information Security there are a variety of specific types of IT Risk that require measurement and management. Information Security professionals, right up to the CISO, are concerned about risks stemming from system configuration, policy compliance, system availability, and vulnerabilities.
That’s not a comprehensive list, of course, but these broad categories are handled in different, but related ways by information security.
Vulnerability risk is particularly challenging because it combines a changing external threat environment with difficult to manage aspects of internal processes. New vulnerabilities are discovered every day, and they affect applications and systems that you already have in place.
That means that changes which are completely external to your organization have a direct and immediate effect on that very environment. Furthermore, there are already tens of thousands of vulnerabilities that are well known and weaponized in freely available and commercial exploit tools.
Most enterprises, and many smaller organizations, are well aware of these risks and the changing threat environment. The response is usually to implement a Vulnerability Management program to find and ultimately remediate these vulnerabilities.
There are a variety of tools on the market, both free and commercial, that can scan for and find vulnerabilities, but that is often where the more difficult problems start.
The fact is, you have more vulnerabilities right now than you can fix, and while addressing known problems is far easier than addressing unknown problems, the first results from a newly implemented Vulnerability Management program are often simply overwhelming.
This is where vulnerability scoring becomes vitally important.
Why are Vulnerability Scores Important?
When the scope of your work exceeds the time and resources available, you must prioritize (or change the time and scope). That is the primary value of vulnerability scoring: prioritization.
A good vulnerability score allows you to make better decisions about which vulnerabilities to fix first. Not all scores are alike, of course.
Scores vs. Rankings vs. Categories
The concept of prioritizing vulnerabilities for remediation isn’t new, of course. Over the years, various methods for prioritization have developed, all with advantages and disadvantages for different organizations.
The first method to emerge was a simple ranking of results along the lines of High, Medium and Low. Of course, you can imagine that other labels might be applied, but fundamentally, you can see from any ranking which vulnerabilities should be fixed first.
Very quickly, however, information security professionals starting wondering what to do when the number of High vulnerabilities exceeded the time and scope available. One solution that seems like a good idea is to make the ranking more granular, say 1-5 or 1-10.
This, of course, doesn’t solve the problem, but simply makes it more manageable for a time. You still, ultimately, can’t distinguish between two vulnerabilities with the same ranking. And because the ranking is subjective, you can’t decompose it to any rational components.
In 1999, nCircle, now a part of Tripwire, took a novel and different approach and started producing a vulnerability score. A score differs from a ranking in that it’s calculated based on specific underlying criteria with a repeatable method.
In Tripwire’s case, the score is also fundamentally unbounded, which frees it from the risk of clustering conditions at the top, i.e. too many ‘Highs.’
In order to accomplish this, the score is generated from three criteria: the depth of access the vulnerability provides if exploited (risk), the external exploit characteristics (skill) , and the time that’s elapsed since the vulnerability was published (time).
If you’re interested in how the Tripwire vulnerability score works in detail, you can read the details in this whitepaper. The Tripwire vulnerability score is actively used today in some of the world’s largest organizations to make remediation decisions on a daily basis.
The Tripwire vulnerability score isn’t the only game in town, of course. There is, in fact, an industry standard for vulnerability scoring called the Common Vulnerability Scoring System (CVSS). CVSS aims to solve the same problems, but does so with some important differences.
CVSS was conceived of as a means to score vulnerabilities in the world at large, rather than an instance of a vulnerability on a host in your network. For that reason, CVSS decreases the vulnerability score when a patch is available.
That vulnerability presents less risk in general once it can be patched, but that isn’t necessarily true for that vulnerability in your network if you don’t apply that patch. CVSS also takes the approach of a bounded score, ranging from 1-10.
It’s still a score because of the repeatable method by which it’s calculated from specified criteria, but it is bounded to that range. That means that while CVSS is repeatable, it still suffers from the clustering problem mentioned above. You can still, and frequently may, end up with more 10s than you can reasonably address.
Finally, scoring and ranking can be augmented in extremely valuable ways through categorization. Broadly, categorization simply means applying a label to the conditions in some systematic way. This includes labels that are simply semantically valuable, as well as those that directly affect a score calculation.
For example, you might categorize a vulnerability by its impact on the target system; does it impact confidentiality, integrity or availability. In fact, CVSS does just that, and uses that as a criteria in its calculation. Another valid category might be vulnerabilities that affect web servers or encryption.
These are not generally used in calculating scores, but they may be valuable for other purposes, like filtering results for specific groups.
Using Vulnerability Scores to Prioritize Remediation
The most common use case for vulnerability scoring is selecting which vulnerabilities to focus on remediating. In this case, we’ve already seen the limitations of a ranking system where you ultimately end up with the problem of clustering of high ranks, and an inability to act.
A ranking, however, may be useful at small scale. If you have hundreds of devices, and no requirement for reporting on progress, then you can use vulnerability rankings. In most cases, however, an unbounded score provides the best mechanism for detailed prioritization.
Another benefit of the unbounded score is the ability to aggregate to the host level or any other arbitrary grouping. For example, you may not actually need to know which one vulnerability across your entire environment needs to be fixed today.
In fact, a more practical use case in a large environment is to ask which vulnerability your Windows admins should focus on this week. In this case, the aggregate scores of vulnerability instances across a filtered group is most useful (i.e. the highest total score for all instances of a Windows vulnerability in your environment).
Ultimately, most organizations find multiple means of measuring and communicating vulnerability risk are required for different purposes.
A detailed, unbounded score is extremely valuable at the right level in the process, but as the audience and purpose shift to other parts of the organization, both inside and outside of Information Security, the need shifts as well.
Rankings, categories and ultimately more sophisticated metrics become more valuable, but they all benefit from the strong foundation of a good vulnerability score.
- Brian Martin on Why Vulnerability Statistics Suck
- Vulnerabilities: It’s Time to Review Your ReviewBoard
- What is Vulnerability Management Anyway?
- Your Enterprise Vulnerability Management Reality Check
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock