Home page logo

basics logo Security Basics mailing list archives

Re: cvss questions
From: krymson () gmail com
Date: Tue, 22 Nov 2011 21:43:16 GMT

First, you should be able to tailor any measure to get what you want. The key is really being able to justify it (you 
justified it to me in your question) and to be consistent with future applications of your values.

Second, I think you should lead the Target Distribution score alone, but instead change the Collateral Damage Potential 
(CDP) to compensate.

Third, if you have a small number of mission/life critical systems that will always score low because they're only a 
small number of your total systems, then I would even say they need to be scored entirely separate from your main 
group. They probably should always be top priority no matter what. Then take just that section of systems and redo your 
calculations. For instance, if you just take your 20 mission/life critical systems instead of your 10,000, your Target 
Distribution score could be 1.0 if all 20 of those systems are affected.

You could also increase the Confidentiality Requirement, Integrity Requirement, and Availability Requirement to match.

Essentially, what I read into your description is that this group of systems needs to be evaluated separately.

It wouldn't ever make sense that an issue that affects 80% of your low value systems means more to your organization 
than a mission/life critical update on 1% of your systems. But that really has nothing directly to do with the 
vulnerability itself; only when it has context with the assets affected.

Moving forward, it's possible the CVSS is very vulnerability-centric, rather than being asset-centric, meaning it 
really doesn't handle valuating your assets and the criticality of patching them. Only the importance and criticality 
of the vulnerability itself.

<- snip ->

Recently,my company has started using CVSS v2 for our metrics.

Im satisfied with the corresponding values I get from the score calculator *until* I add in the "Target Distribution" 
score, which drastically cuts down on the vulnerability's "Overall CVSS Score."

As I understand it, and as the CVSS v2 manual states, the field "Target Distribution" is "the portion of vulnerable 
systems on the network."

Since my client has a large and varied network, vulnerabilities will always get the "target distribution" of 0%-25%.

This means my "Overall CVSS Score" gets dropped from a high rating between 8-10 to around 1.5 - 2.5 when target 
distribution is set to 0%-25%. Even if the targeted computers are mission critical, and their failure can result in 
loss of life, the corresponding value gets reduced.

Is my understadning of "Target Distribution" incorrect?

Is it ethical to set the "Target Distribution" to "Not Defined," even if I know exactly how many machines will be 
affected? If it is ok to do this, what justification can I provide if questioned on why the value was skipped.

Thanks for your help!

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.


  By Date           By Thread  

Current thread:
  • cvss questions fire0088 (Nov 21)
    • <Possible follow-ups>
    • Re: cvss questions krymson (Nov 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]