Secret #1 of Vulnerability Scanning: CVSS Is Only Part of the Picture

This is the first post by Ed Bellis in a three-part series on Vulnerability Scanning. To view all five secrets and two common “gotchas” of vulnerability scanning, please click here.

Information security can be a thankless job. I know, I’ve lived it first-hand. When I ran Security at Orbitz, it was absolutely critical that my team and I stayed on top of threats, attacks and potential exploits. And we had to ensure that our execution was flawless, every day, despite the fact that the influx of new data and threats was never ending. Any slip up could put the company at risk.

While in the trenches, we developed a series of best practices for working with vulnerability scanners such as Qualys, Nessus, Rapid7, WhiteHat and the rest. I found that following these practices dramatically improved our company’s security posture, and helped all of us sleep a lot better at night. Well minus those dealing with small children in the middle of the night.

Here’s what we learned:

1. CVSS is great. But it’s only part of the picture.

CVSS is table stakes these days when examining vulnerability scan results, but you need to be careful to not place too much reliance on CVSS when prioritizing your remediation tasks. CVSS has the ability to add temporal data in the effort to account for changing threats; however, temporal scores can only lower and not raise the actual score. I’ll say that again… temporal scores can only lower and not raise the actual score. So if you look at CVSS and only focus on the 8’s, 9’s and 10’s, you may be missing the real priorities.

Let me give you a hot button, commonly referenced example: the Heartbleed vulnerability exposed the majority of web servers running over SSL on the Internet and allowed for the leaking of data (including the very encryption keys that protected them). But how did CVSS rate Heartbleed? It scored at only a five.

Why did CVSS misread Heartbleed so badly? The scoring system doesn’t allow for a high score on a vulnerability whose impact is “information leakage,” even though in this case the information being leaked could have been—and was—highly sensitive. You have to take into account an ever-shifting threat landscape and model, asset priorities, and mitigating controls in order to take a holistic approach to prioritized remediation.