Dozens of new vulnerabilities surface every day. These vary widely, with CVE scores ranging from 0 to 10. The higher the score, the more alarming the messaging. Interestingly, the most dangerous cyber threats quite often don’t achieve a high score on this scale. As an organization, how do you know when a vulnerability is actually serious?
The most prominent security incidents of the past decade show that vulnerabilities do not have to be critical to cause extensive damage. For example, the Heartbleed bug in OpenSSL, discovered in 2014, caused a global security crisis. However, its CVE scores of 5.0 (medium, CVSS 2.0) and 7.5 (high, CVSS 3.0) suggest that the vulnerability itself is not critical.
There are exceptions: the infamous Log4Shell received a 9.3 (CVSS 2.0) and 10.0 (CVSS 3.0) within those same scales. Although numerous organizations are still vulnerable to Log4Shell, many companies have taken action. Sounding the alarm therefore may make sense, but if it happens too often, it loses credibility. CVSS scoring has so far failed to heed that warning.
The intent behind CVSS
The U.S. government organization NIST is the founder of the Common Vulnerability Scoring System (CVSS). It says this standard is “well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability severity scores.”
Tip: API security is starting to get the attention it deserves from organizations
But: CVE scores do not measure the risk of a vulnerability, NIST points out. Late last year, with the introduction of CVSS 4.0, widespread feedback was incorporated by FIRST, which since 2005 has been responsible for providing upkeep to the scoring system. In addition to focusing on OT and IoT dangers, the scoring would be made more useful for assessing the actual danger of a vulnerability.
Thus, CVSS 4.0 is expected to better reflect the reality of cyber dangers. We will come back to that later. Regardless, the assumption that higher CVE scores are more dangerous is a persistent one. Late last year, a CyRC report showed that fewer software systems contained vulnerabilities than before. At the same time, the percentage of critical vulnerabilities increased, which a Synopsys security lawyer likened to a decrease in traffic accidents and a simultaneous increase in fatalities.
That doesn’t add up. A high CVE score (below CVSS 2.0 and CVSS 3.0) does not create the most dangerous security incidents. As the earlier example showed, the scoring can fail to capture serious threats to organizations. The reason security teams prioritize such vulnerabilities is because high CVE scores are indicative of something else entirely. The factors that determine the score are manifold. They highlight, among other things, the attacker’s freedom of movement after an exploit, the difficulty in achieving remediation and the impact on IT system availability. That all means that security teams go the extra mile to protect against such threats, curbing the amount of exploits of critical vulnerabilities significantly.
Version 4.0 has high expectations, but there’s still a lack of context
FIRST is ambitious with CVSS 4.0. It argued that 4.0 will be a “game-changer” for the security world. To specify its claims, it highlights (among other things) that the ambiguity of scores should be reduced and recovery attempts will be weighted more heavily.
Yet CVE scores still contain a fundamental problem: it says little about what it means for a specific organization. If a vulnerability causes downtime in a video service, that’s an irritation to one company and catastrophic to another. Aquia CISO Chris Hughes, therefore, calls CVSS “not broken,” but flawed. “The unfortunate reality is that in an industry that is often led by marketing hype and promises of silver bullets, there isn’t one.”
Where do we want to go from here?
A company like Hadrian Security touts the importance of threat intelligence. This involves experts looking at the actions and motivations of cybercriminals and which victims are facing a genuine risk. Other security companies like CrowdStrike also emphasize the detection of and resistance against active threats. Other than consistent patching and the monitoring of network traffic, there is no way to know for yourself where the actual danger is coming from.
Critical vulnerabilities prevent some of the most serious threats, but merely looking at the CVE score is not a solution. For example, software company JFrog advocates a revision of CVSS that emphasizes the potential damage dealt by vulnerabilities in standard configurations. Also, the alternative EPSS (Exploit Prediction Scoring System) has been around for years, but according to senior director of security research at JFrog Shachar Menashe, it has not yet proven itself and its implementation is not transparent.
Either way, the reality assumes containment rather than prevention of cyber dangers. Prevention of downtime and prevention of data breaches are given priority, not the wholesale eradication of any hostile activity. Hence, experts repeatedly point to defense-in-depth techniques, where zero-trust principles, for example, prevent a single hijacked account from doing lasting damage. It is the real attack paths of criminals that are thus cut off, regardless of the nature of potential vulnerabilities being exploited. Staring endlessly at high CVE scores is of no use in that regard. It also suggests that a low score is less likely to require action, which doesn’t do justice to the real-world cybersecurity landscape.
Targeting exploitability, not high CVE scores
To determine whether a critical vulnerability is actually serious, an organization should look at its own context. What access does the software one uses have? How exploitable is its own IT environment, and from which accounts can it be meaningfully altered? If there aren’t clear answers to those questions, patching for critical vulnerabilities leads to a false sense of security.
In doing so, filtering out the noise is necessary. Several security solutions are capable of doing this. SentinelOne Singularity, for example, is a comprehensive EDR platform, where providing concrete alerts and insights about cyber threats provides clarity to security teams. With the recent acquisition of PingSafe, SentinelOne extends this to CNAPP, which provides concrete insights to distinguish “crucial signals from the irrelevant noise.” Specifically, that means looking at the exploitability of vulnerabilities, not their CVSS-informed severity. It’s a far better representation of what actually threatens the daily operations of an organization than a CVE score ever will.
Also read: SentinelOne acquires PingSafe and takes big step in cloud security
22 hours ago
