NIST CVSS without a sound CMDB is a Total Waste -- Show me the Data!!

You should not use the NIST Common Vulnerability Scoring System (CVSS) without a sound? Configuration Management Database (CMDB), while these are two separate components in the field of information security, they should be used together to enhance an organization's vulnerability and consequence management process. Using only CVSS is myopic!!!

CVSS Score:

The CVSS provides a standardized method for assessing the severity of vulnerabilities. It has three main components, which are the Base, Temporal, and Environmental metrics. These metrics help in measuring different aspects of a vulnerability and its potential consequences.

1. Base Metrics: These metrics evaluate the inherent characteristics of a vulnerability, considering its potential impact and exploitability. They don't account for factors like time or context. The base metrics are further divided into two groups:

a. Exploitability Metrics: These consider factors like attack vector, attack complexity, privileges required, and user interaction. This assumes that you have good and complete data in terms of frequency or probability.

b. Impact Metrics: These assess the potential impact of a vulnerability on the confidentiality, integrity, and availability of a system. This is the consequence if materialized.

2. Temporal Metrics: These metrics account for the changing aspects of a vulnerability over time. They include exploit code maturity, remediation level, and report confidence. Temporal metrics help to assess the current risk of a vulnerability, as they consider factors like the availability of an exploit, the existence of patches, and when the upgrade or patch will be applied. In other words, if I upgrade tonight, I should be okay...should stop sending notifications to that team about java.

3. Environmental Metrics: These metrics capture the context and characteristics of the affected environment. They account for factors like the security requirements of the affected system and any secondary controls placed on assets. You need to account where the asset lives, is is micro-segmented, or is it in the DMZ?

You need a sound CMDB:

Prioritization: By integrating CVSS scores with the CMDB, organizations can better prioritize their response to vulnerabilities based on the criticality of the affected assets. This helps them focus their resources on addressing the most severe vulnerabilities in their most important systems. Using only the CVSS base score is not good -- it is in fact a waste of time -- show me the data!

Impact Analysis: Using the CMDB's information on asset dependencies, organizations can assess the potential impact of a vulnerability on their environment. This can help them better understand the potential consequences of an exploit and allocate resources accordingly. Without a sound consequence analysis, you are blind...

Patch Management: By associating CVSS scores with the affected assets in the CMDB, organizations can streamline their patch management process. They can quickly identify the systems that require immediate attention and prioritize patch deployment based on the severity of the vulnerabilities and the importance of the affected assets.?

Failed patches are a reality, but having the context and temporal aspect of CVSS will help determine actionable risk appetite baselines. Make it actionable and use your resources where they matter!

Risk Assessment: Combining CVSS and CMDB information can help organizations assess their overall risk posture. This allows them to make informed decisions about allocating resources for vulnerability management and other security initiatives.?

Without context or temporal elements, we are assuming all our systems are exposed outside the DMZ and that all systems are equally critical.?

How can we dare to call this a risk assessment without including the entire CVSS score?

Conclusion:

In conclusion, while the NIST Common Vulnerability Scoring System (CVSS) offers a standardized framework for assessing the severity of vulnerabilities, without the context of a sound Configuration Management Database (CMDB), you are spinning wheels while myopically focusing on misplaced risks.

Without the necessary data you should stop and ask yourself if "just checking the box" is part of the solution, or if you are part of the problem.