Risk and CVSS (Post 4)

We are now up to the CVSS “Environmental Metrics” group. According to the CVSS documentation, this group ‘captures the characteristics of a vulnerability that are associated with a user’s environment’. This group is also optional from a scoring perspective and is intended to be completed by someone familiar with the environment the vulnerability resides within.

In “Post 1” I mentioned that CVSS does not take into consideration “threat event frequency” or how often I expect to get attacked nor does it take into consideration “loss event frequency”; how often I expect to realize a loss. The “environmental metric” does not fill this void either – but there is still value in being able to quickly analyze vulnerability in the context of these metrics – again, as contributing factors to various FAIR risk taxonomy elements.

FAIR & CVSS "Environmental Metrics) Mapping


Collateral Damage Potential. This metric measures the potential for loss of life or physical assets through damage or theft of property. Now real quick, I scoffed when I saw the loss of life – and none of the risk issues I have ever dealt with ever involved estimating loss of life. However, there are real life examples of software defects (essentially vulnerabilities) that have loss of human life implications. Take a look at “Geekonomics” by David Rice, there is some fascinating information in the book that will give you a whole new perspective on vulnerabilities. Getting back on track, the collateral damage metric maps very well to the “probable loss magnitude (PLM)” branch of the FAIR taxonomy. I do not want to dive into PLM right now – but let me state this – the word potential is not the same as probable, nor does it imply expected loss. So with the CVSS metric it could be very easy for someone to err on the side of a worst case loss versus choosing a value that best resembles expected loss. Either way, with CVSS this would just result in the CVSS score being raised. I would prefer to see a value in terms of dollars; whether it is monetary ranges or actual expected loss amounts based off simulations.

Target Distribution. This metric measures the proportion of vulnerable systems. I like this metric and I think it can be very useful as a contributing factor to the FAIR taxonomy element “threat event frequency”; specifically “threat contact” and possibly “threat capability”. The number and placement of vulnerable systems in my environment could directly factor into how often or what type if threat agents I expect to come into contact with the vulnerable systems – let alone attack them. Remember, within FAIR – attacking an asset with a vulnerability does not guarantee loss. We have to take into consideration the ability of the attacker to overcome the control resistance applied to the asset.

Security Requirements. These metrics enable the analyst to customize the CVSS score based on the importance of the affected IT asset to a user’s organization in terms of confidentiality (CR), integrity (IR), and availability (AR). Possible values include: LOW, MEDIUM, HIGH, or NOT DEFINED. These metrics were designed to work with the CVSS “Base Metrics” group; specifically the CIA Impact metrics. So if the vendor analyst states that a vulnerability has a Confidentiality Impact, and the analyst for the organization that has the vulnerable asset states that her or his organization has a Confidentiality Requirement – then the CVSS score could increase. Sounds pretty straightforward – seems to map nicely into the PLM branch of the FAIR taxonomy. Specifically, as contributing factors to estimating loss should the vulnerability be exploited and a loss occur.

It is too bad that the CVSS environmental metrics are optional. I understand why they are and regardless of CVSS generating a score and not taking into account loss event frequency – just imagine how much more informed a security folks and decision makers could be if they took a few more minutes to analyze a given vulnerability and the CVSS score that was provided to them from a vendor in light of these metrics.

In the next (and final) CVSS post, I will share some final thoughts on CVSS and finally put a nail in what was not intended to be a series of posts. Thanks for reading!


Comments are closed.

%d bloggers like this: