What is CVSS (Common Vulnerability Scoring System)?

What is CVSS Common Vulnerability Scoring System
The Common Vulnerability Scoring System (CVSS) is a standard that can be used to uniformly assess the vulnerability of computer systems using a point system from 0 to 10. CVSS is currently available in version 3.1 and recognizes the vulnerability classifications “none”, “low”, “medium”, “high” and “critical”.

What is CVSS?

The acronym CVSS stands for Common Vulnerability Scoring System. It is a standard that can be used to uniformly assess the vulnerability of computer systems and the severity of security vulnerabilities. This makes the vulnerability of different systems comparable. The advantage of this is that potential threats can be better assessed and countermeasures better prioritized.

Work on the CVSS began in 2005 on behalf of the National Infrastructure Advisory Council (NIAC), a working group of the U.S. Department of Homeland Security. Today, the Forum of Incident Response and Security Teams (FIRST) is responsible for the continued development of the standard.

Various companies and organizations such as Cisco, IBM, Microsoft, and the CERT (Computer Emergency Response Team) are involved in its development. Version 3.0 of the standard was released in 2005. A major innovation of version 3.0 was the introduction of the keywords “none”, “low”, “medium”, “high” and “critical” for the different severity levels of a vulnerability. The currently valid version is CVSS 3.1 from 2019. Various manufacturers have adopted the open standard for their products and in some cases made their own adjustments.

READ:  What Is A Firewall On A Computer and In Networking?

Details of the Common Vulnerability Scoring System

The Common Vulnerability Scoring System has a metric structure and is based on values that are divided into the three groups “Base”, “Temporal” and “Environmental”. To determine the vulnerability scores, each group has its own rules. The values of the Base group are invariant in time and remain the same in different environments.

In the Temporal group, the time dependency of a vulnerability is taken into account. For example, the vulnerability of a system to a particular vulnerability decreases over time as more and more countermeasures such as patches become known and available. The Environmental group incorporates various criteria of the specific IT environments into the vulnerability assessment. A CVSS score that takes all three groups into account names the vulnerability of a specific computer system in a specific environment at a known point in time.

The CVSS ratings are numerical values on a scale of 0.0 to 10.0. The highest vulnerability of a system results from a value of 10.0. Since the CVSS 3.0 version, the numerical values are additionally divided into the four speaking severity levels “none”, “low”, “medium”, “high” and “critical”. The classification is based on the following scheme:

  • No vulnerability with a value of 0.0
  • Low vulnerability with a value of 0.1 to 3.9
  • Medium vulnerability with a value of 4.0 to 6.9
  • High vulnerability with a value of 7.0 to 8.9
  • A critical vulnerability with a value of 9.0 to 10.0
READ:  What is a Remote Access Trojan (RAT)?

Advantages of using CVSS

There are a number of benefits to using the Common Vulnerability Scoring System. The uniform assessment of a vulnerability, which is compatible between different environments and systems, allows countermeasures to be prioritized according to the severity of the vulnerability.

There are also databases from which the ratings of known vulnerabilities can be quickly extracted if necessary. Since the CVSS is calculated according to publicly known criteria and rules, the values determined are transparent and comprehensible.