4

From CVSS v2 complete guide :

"Security (Risk) Management: Security Risk Management firms use CVSS scores as input to calculating an organization's risk or threat level. These firms use sophisticated applications that often integrate with an organization's network topology, vulnerability data, and asset database to provide their customers with a more informed perspective of their risk level."

My precise question is: How are CVSS Scores used in calculating org's risk ? CVSS Scores are calculated per exploit, curious how they are extrapolated for entire org's risk level? Imagine we inventory every application, host etc in the network, we perform thorough scans of Nessus or Qualys etc. and then we have CVSS scores of known exploits. But how are they stitched together to show the risk posture of entire network?

Any references or pointers would be of great help.

Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
sashank
  • 511
  • 5
  • 17

1 Answers1

6

First of all, there are three different metrics to calculate the global CVSS score. These are: Base Metrics, Temporal Metrics and Environmental Metrics.

Temporal Metrics and Environmental Metrics are optional and these are calculated using the Base ones as an input value. To have a better overview of these metrics and their equation, take a look of this picture:

cvss score
(source: first.org)

Generally, the base and temporal metrics are specified by vulnerability bulletin analysts, security product vendors, or application vendors because they typically have better information about the characteristics of a vulnerability than do users. The environmental metrics, however, are specified by users because they are best able to assess the potential impact of a vulnerability within their own environments.

That means that the user must provide the environmental metrics whereas a vulnerability scanner might provide the others.

As far as I know, Nessus includes just the Base and the Temporal Scores. Thus, Nessus is not able to get the value of the Environmental metrics. The environmental metrics depends on the organization's necessities.

Otherwise, if you want to calculate the CVSS score using the Environmental Metrics, you can not use an automatized vulnerability scanner as Nessus. You would need to assess the system and decide the threat that the organization is capable to bear.

In order to calculate the global CVSS score, you can mix the results of a Nessus scan with the assess of the system.

There is available a CVSS v2 calculator

In addition, it looks as if Qualys works in a similar way. The scanner provides the Base and the Temporal Score, moreover the user provides the Environmental metrics.

The CVSS Environmental Metric group captures the characteristics of a vulnerability that are associated with the user's IT environment.

More information of Qualys and CVSS

I suppose that the global CVSS Score should take the worst situation possible.

Community
  • 1
crato
  • 124
  • 3
  • down voted because , i did not get the answer , you have just explained various scores of CVSS and then how others provide such calculations. the last line is what i wanted to know more , i dont think worst situation possible would give better indicators – sashank Mar 04 '14 at 02:49
  • @sashank I have explained you the different scores of CVSS just to put you in context. In a vulnerability scan, for instance: you detect 5 vulnerabilities: 2 warnings, 2 medium and 1 high. The worst situation would be the 'high' one. Nessus does not stich the CVSS, so you should get the highest CVSS score that Nessus gives you and go ahead. That is, using the CVSS calculator with your needs and the CVSS from Nessus. I don't know too much about Qualys, but according to the [link](https://qualysguard.qualys.com/qwebhelp/fo_help/setup/cvss_scoring.htm) it should calculate the global CVSS – crato Mar 04 '14 at 09:45
  • @sashank CVSS scores are used "as input" to the organizational calculations. They are raw data scores without relevance. You don't extrapolate, you interpolate. By combining those scores with a relevance metric, such as the environmental score, you get an organizational score. crato gave you the answer you asked for. – schroeder Mar 05 '14 at 00:31