ITL Bulletin for October 2007
Forwarded from: Elizabeth Lennon <elizabeth.lennon (at) nist.gov>
ITL BULLETIN FOR OCTOBER 2007
THE COMMON VULNERABILITY SCORING SYSTEM (CVSS)
Shirley Radack, Editor
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
U.S. Department of Commerce
To protect the security of their information technology (IT) systems,
managers must continually identify and assess the vulnerabilities of
their systems. Severe weaknesses in IT systems security often stem from
software or system implementation flaws. These weaknesses, or
vulnerabilities, make the systems attractive targets for attacks that
can seriously change or harm the confidentiality of data, the integrity
of data, and the availability of systems. Because they may have many
different hardware and software platforms and many different threat
issues to deal with, managers need a way to prioritize the
vulnerabilities of their systems and to address those vulnerabilities
that pose the greatest risk.
The Information Technology Laboratory of the National Institute of
Standards and Technology (NIST) recently issued information about the
Common Vulnerability Scoring System (CVSS), which provides an open
framework for scoring the characteristics and impacts of IT
vulnerabilities. The CVSS enables IT managers, vendors, information
providers, and researchers to exchange information about IT
vulnerabilities using a common language and scoring scheme, and to take
needed actions to improve the security of their systems.
NISTIR 7435, The Common Vulnerability Scoring System (CVSS) and Its
Applicability to Federal Agency Systems
The Common Vulnerability Scoring System (CVSS) and Its Applicability to
Federal Agency Systems, written by Peter Mell and Karen Scarfone of NIST
and by Sasha Romanosky of Carnegie Mellon University, was issued in
August 2007 as NIST Interagency Report (NISTIR) 7435. The report
explains the CVSS and discusses the available methods and issues related
to scoring systems for vulnerabilities.
NISTIR 7435 helps IT managers to make sense of vulnerability data and to
take appropriate actions that will protect their systems and
information. NISTIR 7435 describes in detail the three groups of metrics
that compose the CVSS and provides specific examples of how to perform
the CVSS scoring procedures. It provides guidelines on the scoring
process and defines the equations used to generate three groups of
metrics: base, temporal, and environmental scores. Also included in the
report are examples of the scoring to help explain the process and the
use of the equations.
The appendices provide information about electronic in-print resources
that are available to help organizations implement the CVSS. Also
included in the appendices are an abbreviation list and an acronym list.
NISTIR 7435 is available from NIST's website at
http://csrc.nist.gov/publications/nistir/ir7435/NISTIR-7435.pdf.
Scoring for Vulnerabilities
Both commercial and noncommercial organizations have developed
vulnerability "scoring" systems that are available for use. These
various systems have different advantages and disadvantages, and they
often differ in what they measure. Some of these scoring systems provide
only one approach for measuring the impact of vulnerabilities, and they
may assume that the impact of vulnerabilities is uniform for all
individuals and organizations.
The CVSS provides a more consistent approach to scoring vulnerabilities.
It is managed by the Forum of Incident Response and Security Teams
(FIRST), an international confederation of computer incident response
teams that handle computer security incidents and promote incident
prevention programs. The CVSS is a free and open standard, is available
to all to use and implement, and is not limited just to members of
FIRST. To further common understanding of the scores that users obtain
with the CVSS, FIRST asks that organizations publishing vulnerability
scores conform to the guidelines described in NISTIR 7435 and provide
both the score and the scoring vector in their published results.
The CVSS is useful for organizations such as:
- Producers of vulnerability bulletins in both nonprofit and commercial
organizations that provide CVSS temporal scores to users;
- Software application vendors who provide CVSS information to their
customers to enable them to manage their IT risks more effectively;
- Private sector organizations that use the CVSS internally to make
informed vulnerability management decisions;
- Vulnerability scanning and management organizations that scan
networks for IT vulnerabilities and make CVSS scores available to
user organizations;
- Security risk management firms that use CVSS scores as input to
report to their customers about their risk or threat levels; and
- Researchers who perform statistical analyses on vulnerabilities and
vulnerability properties.
The Common Vulnerability Scoring System version 2.0 website
is at http://www.first.org/cvss/cvss-guide.html.
The Scoring System
The CVSS consists of three groups of scores: Base, Temporal, and
Environmental. Each group produces a numeric score ranging from 0.0 to
10.0 and a vector, a compressed textual representation that reflects the
values of the metrics used to derive the score.
The Base group of metrics represents the intrinsic and fundamental
characteristics of a vulnerability that are constant over time and user
environments.
The Temporal group represents the characteristics of a vulnerability
that change over time but not among user environments.
The Environmental group represents the characteristics of a
vulnerability that are relevant and unique to a particular user's
environment.
The detailed process for scoring is explained in Section 3 of NISTIR
7435. Scoring can be done by any of the user organizations mentioned
above. In general, vulnerability bulletin analysts, security product
vendors, and application vendors, with detailed knowledge of the
characteristics of vulnerabilities, usually cite the base and temporal
metrics. If they desire, users can use the CVSS to check a vendor's
calculations of vulnerabilities. Users generally cite the environmental
metrics because they are best able to assess the potential impact of a
vulnerability within their own environments.
There are clear benefits to be gained from using the CVSS, which allows
managers to convert masses of vulnerability data into distilled
information that they can directly apply to improve the security of
systems. Specific benefits include:
Standardized Vulnerability Scores: When an organization normalizes
vulnerability scores across all of its software and hardware platforms,
it can leverage a single vulnerability management policy. This policy
may be similar to a service level agreement (SLA) that states how
quickly a particular vulnerability must be validated and remediated.
Open Framework: Users can see the individual characteristics that are
used to derive a score for a vulnerability when the CVSS is used. This
common framework helps to avoid user confusion when a vulnerability is
assigned an arbitrary score under a different system.
Prioritized Risk: When the environmental score is computed for a
vulnerability, users can put the information into the context of their
systems, determine the actual risk that the vulnerability poses, and
judge the impact of the vulnerability in relation to other
vulnerabilities.
The CVSS and the National Vulnerability Database (NVD)
The NIST National Vulnerability Database (NVD) is a comprehensive cyber
security vulnerability database that integrates all publicly available
federal government vulnerability resources and provides references to
industry resources. The NVD website is http://nvd.nist.gov/. The NVD is
based on and synchronized with the Common Vulnerabilities and Exposures
(CVE) vulnerability dictionary of software flaws. NVD provides
vulnerability summaries for all CVE vulnerabilities. The NVD includes a
fine-grained search engine that allows users to search for
vulnerabilities by various characteristics.
The NVD provides specific CVSS scores for publicly known
vulnerabilities. With this link, the NVD provides valuable information
to information system managers, users, system administrators, and other
security professionals to help them learn about vulnerabilities and take
steps to correct them.
For all of the vulnerabilities that are listed, NVD uses the scoring
guidelines detailed in NISTIR 7435 to create CVSS base metric scores. A
CVE identifier is assigned to each new vulnerability. NVD analysts
review the new vulnerability, assign a CVSS base score, and add the
information to the corresponding CVE entry within the database. The CVSS
base scores in the NVD are available for use by federal agencies, so
that they do not have to manually calculate their own base scores. These
scores are also incorporated into many commercial security tools.
Agencies may wish to ask their security tool vendors if they provide the
NVD CVSS scores within their products. NVD is publicly available, so any
organization or individual may freely use its CVSS base scores. The NVD
CVSS web page is available at http://nvd.nist.gov/cvss.cfm.
Having the base metric score listed for each CVE entry in NVD enables
users to quickly determine the severity of each vulnerability. However,
when the temporal and environment metrics are missing, an incomplete
picture may result. To remedy this, NVD provides a web-based CVSS
version 2.0 calculator at the web page listed above.
When users select a vulnerability from the NVD and click on the "Base
score" attribute, they are directed to the calculator and the base
metric scores will be filled in automatically, leaving the temporal and
environmental metrics to be completed by the user. The Base metrics can
be altered by users to suit their specific needs should they wish to do
so. Once all the information has been submitted, users are presented
with an adjusted score that more directly reflects the impact of the
vulnerability on their environment. Commercial tools may also offer the
ability to customize NVD CVSS base scores with environment-specific
information.
CVSS was designed to be used by any organization. This flexibility is a
noteworthy strength of the system, but it does require that different
sectors and organizations approach the use of CVSS with consideration of
their specific requirements.
Modifying Scores with FIPS 199 Ratings
The Federal Information Security Management Act (FISMA) of 2002 requires
all federal agencies to develop, document, and implement agency-wide
information security programs and to provide information security for
the information and information systems that support the operations and
assets of the agency, including those systems provided or managed by
another agency, contractor, or other source. To help agencies carry out
these policies, FISMA called for NIST to develop federal standards for
the security categorization of federal information and information
systems according to risk levels and for minimum security requirements
for information and information systems in each security category.
Federal Information Processing Standard (FIPS) 199, Standards for the
Security Categorization of Federal Information and Information Systems,
issued in February 2004, was the first standard that was specified by
FISMA. FIPS 199 requires agencies to categorize their information
systems as low-impact, moderate-impact, or high-impact for the security
objectives of confidentiality, integrity, and availability.
Federal agencies can use the following FIPS 199 security categories with
the NVD CVSS scores to obtain impact scores that are tailored to each
agency's environment.
The potential impact is low if the loss of confidentiality, integrity,
or availability could be expected to have a limited adverse effect on
organizational operations, organizational assets, or individuals.
The potential impact is moderate if the loss of confidentiality,
integrity, or availability could be expected to have a serious adverse
effect on organizational operations, organizational assets, or
individuals.
The potential impact is high if the loss of confidentiality, integrity,
or availability could be expected to have a severe or catastrophic
adverse effect on organizational operations, organizational assets, or
individuals.
The CVSS generally follows the FIPS 199 definitions for the impact
subscore modifiers in the environmental metric, so federal agencies can
customize CVSS scores to apply to specific government systems. However,
CVSS does not require that these definitions be used by all and provides
them merely as a default; other organizations using the CVSS may choose
to define the impact subscore modifiers in ways that more closely suit
their particular business goals.
For federal agencies, the FIPS 199 definitions can apply, and the
potential impact levels for federal information systems can be
considered when agencies are calculating environmental metric scores for
vulnerabilities. For example, an information system may have potential
impact levels of high for confidentiality and integrity, and moderate
for availability according to the FIPS 199 definitions of potential
impacts. These values can then be input into the CVSS calculator for the
environmental metric impact subscore modifiers. Once these values have
been entered, the final CVSS score will be adjusted appropriately,
resulting in a CVSS score that is specifically tailored to the target
environment. However, a CVSS score only assesses the relative severity
of a vulnerability when compared to other vulnerabilities and does not
take into account any security controls that might mitigate attempts to
exploit the systems, such as firewalls, antivirus software, intrusion
detection and prevention systems, and authentication mechanisms. CVSS
scores are intended as an aid in making decisions about security
controls and are only one element of many factors that should be
considered.
Using CVSS with Security Content Automation Protocol
The Security Content Automation Protocol (SCAP) is a method for using
specific standards to enable automated vulnerability management,
measurement, and policy compliance evaluation, such as FISMA compliance.
Specifically, SCAP is a suite of selected open standards that enumerate
software flaws, security-related configuration issues, and product
names; measure systems to determine the presence of vulnerabilities; and
provide mechanisms to rank (score) the results of these measurements to
evaluate the impact of discovered security issues. SCAP defines how
these standards are combined. CVSS is one of the six vulnerability
management standards that compose SCAP. More information on SCAP and how
it benefits federal agencies and other organizations is available at
http://nvd.nist.gov/scap.cfm.
Recommendations for Using the CVSS
NIST recommends that federal agencies and other organizations adopt the
Common Vulnerability Scoring System (CVSS), which provides a standard
method to rate the severity of vulnerabilities within their systems. The
National Vulnerability Database (NVD) provides a standard set of federal
government-validated CVSS scores. Together, when incorporated into
security products, the NVD and the CVSS enable organizations to
understand the impact of the vulnerabilities on their systems.
Furthermore, the impact ratings will be the same even when the
vulnerabilities are discovered by multiple security tools used in
different organizations. This allows for a dependable comparison of the
severity of vulnerabilities between federal government systems and
between the government and other organizations. By watching the CVSS
scores of discovered vulnerabilities over time, organizations can more
easily identify vulnerability trends. Then with an effective security
program implemented, organizations will see improvements in their
vulnerability metrics over time.
More Information
NIST publications assist organizations in planning and implementing a
comprehensive approach to information security. For information about
NIST standards and guidelines that are referenced in the CVSS guide, as
well as other security-related publications, see NIST's web page at
http://csrc.nist.gov/publications/index.html.
Publications specifically related to the CVSS include:
NIST Special Publication (SP) 800-51, Use of the Common Vulnerability
and Exposures (CVE) Vulnerability Naming Scheme, advises federal
agencies to acquire and use security-related IT products that are
compatible with the CVE vulnerability naming scheme, and to periodically
monitor their systems for applicable vulnerabilities, using automated
software tools.
NIST SP 800-40, version 2.0, Creating a Patch and Vulnerability
Management Program, provides guidance on management practices that can
prevent the exploitation of IT vulnerabilities.
Disclaimer:
Any mention of commercial products or reference to commercial
organizations is for information only; it does not imply recommendation
or endorsement by NIST nor does it imply that the products mentioned are
necessarily the best available for the purpose.
Elizabeth B. Lennon
Writer/Editor
Information Technology Laboratory
National Institute of Standards and Technology
100 Bureau Drive, Stop 8900
Gaithersburg, MD 20899-8900
Telephone (301) 975-2832
Fax (301) 975-2378