Over the years I’ve seen, and used, a diverse range of methods to evaluate and explain the risks associated with a particular security threat or vulnerability.  Depending upon the audience and the nature of the environment being evaluated there has always been – and always will be – a frequent need to reclassify the severity of a finding.  This is particularly relevant when making use of findings derived from automated security tools.
 
A pet hate I’ve always had relates to consultants who insist upon producing client reports by mindlessly copying tool-discovered vulnerability information without any reflection upon the environmental context of the security assessment.  By failing to incorporate this information in their analysis they can cause confusion and may actually weaken an organizations security as the client diverts valuable resources to address incorrectly prioritized risks.
 
The output of these automated tools, while often providing extremely detailed information about each and every vulnerability uncovered, should only be used as a guide for remediation – not for prioritization.  Even though the descriptions invariably include a “Risk” value, it is made without any contextual understanding and really only represents the impact of exploitation.
 
This tool-based “Risk” value, while not necessarily accurate enough for prioritization, still forms a solid basis for understanding the significance of a security finding – assuming it comes from a reliable source.  The source caveat is important.  Each vulnerability assessment tool will enumerate a vulnerabilities risk differently, with its evaluation dependant upon the original source of the information, the research that went into its evaluation and the quantization of the ranking system (e.g. three-tier; High, Medium, Low, or four-tier; Critical, High, Medium, Low).
 
If one tool evaluates the risk of a vulnerability as High in a three-tier ranking system, while another evaluates the same vulnerability as Critical based upon their four-tier system, is it High or Critical?  The same confusion arises when reading the original vulnerability advisories – it is not uncommon for the original discoverer of the vulnerability to rank its “Risk” higher than that claimed on the affected vendors advisory publication.
 
All this could be about to change.  There is now growing momentum behind the adoption of a new, more consistent, vulnerability scoring mechanism – the Common Vulnerability Scoring System (CVSS).
 
CVSS is a framework designed to be used by vendors, consultants and clients alike to calculate a composite score for a vulnerability based upon severity and risk.  Using 12 evaluation metrics split into three groups, CVSS aims to provide a consistent platform for calculation and incorporates temporal as well as environmental data to arrive at a score.
 
Once security tools start supporting CVSS, it is likely we will see a change in the way in which an organization manages vulnerability prioritization and remediation.  Vulnerability assessment tools will then be able to provide the 7 metrics that make up the Base Group score - this includes static information such as access complexity and vectors, authentication requirements, and traditional risk management CIA impact values.
 
Temporal data, such as whether exploit material or proof of concept code is loose and whether vendor patches or work around processes are available, is used to formulate the Temporal Metric Group which factors events that may affect the urgency of the threat posed by the vulnerability.  This information will need to be supplied by trusted vulnerability research teams and evaluated on an almost daily basis to accurately reflect the threat.
 
The last metric group – Environmental – must be evaluated in the context of the clients organization since it factors in collateral damage potential and target distribution. 
 
While it is likely that CVSS will increase the effort required to evaluate a threat, by using the system properly I’m pretty sure that clients will benefit from more accurate assessments and remediation prioritization.  As for those lazy consultants who insist on copy-pasting risk values, they’re either going to have to change their business practices or their occupation.