According to the vulnerability database, CVE Details, there were over 14,000 vulnerabilities discovered in 2017, which was over double the 6,000 plus vulnerabilities discovered in 2016. Each of these vulnerabilities can pose as a serious threat to organizations as they could potentially provide attackers with gateways into corporate networks. As a result, most organizations will use a scoring system to understand how significant a threat each of the vulnerabilities can pose.
The most popular scoring system organizations will rely on today is the Common Vulnerability Scoring System (CVSS). The main purpose of CVSS is to assign a score to vulnerabilities, which allows IT security teams to prioritize responses and resources according to the severity of the threat. Scores range from 0 to 10, with 10 being the most severe and zero being just informational
CVSS allows security teams to understand the level of threat a vulnerability can pose, however the scoring is generic, so it only indicates the perceived risk, not the actual risk that relates to a specific organization.
For instance, while CVSS may allocate a vulnerability with a low severity score, this does not guarantee the vulnerability will be low severity according to your organization. Essentially, what may be insignificant to one organization could be detrimental to another.
This means CVSS can give a good indication about vulnerabilities from a global view, but security teams will need to develop their own unique scoring system, which evaluates the risks and vulnerabilities that specifically pose the biggest threat to their business.
Identifying what matters most to your organization
When it comes to building your organization’s own unique risk-score, the most important thing to identify is what information is stored on the corporate network and what is being done to protect it?
Most organizations today will hold some form on personally identifiable information (PII) on both its customers and its employees, they will also store intellectual property information as well as financial data and login details.
Any of these types of data will likely be classed as confidential and there would be serious implications, like GDPR fines and loss of customer trust, if they fell into the wrong hands. It is therefore critical that management and security teams understand how each of these pieces of data are stored, secured and how they are accessed.
If the information can be accessed from outside the corporate network, then the risk can increase significantly as this means it could be easier for attackers to gain access to the information. It is also important to understand who is accessing certain pieces of sensitive information as this could also change the risk-score.
It is also recommended that security teams try to understand what attack types could put them at the greatest risk. For instance, while a DDoS attack could have a significant impact on revenue and customer trust, it is unlikely to result in the loss of data. However an SQL Injection attack could have a detrimental impact on trust, data leakage, availability and revenue.
To have a clear risk score, security teams should look at the various attack techniques and work out what the worst-case scenario would be if they were targeted. This will allow them to understand what could cause the most damage and what areas of the network and datasets are least prepared should they ever suffer such an attack.
Once management and IT security teams have a clear understanding of these issues, they can then confidentially assign each business unit, or even as granular as individual systems, a risk-score. They should then prioritize the assets with security issues which could cause the biggest risks to the business.
Meaningful security risk-scoring
While CVSS is a good generic scoring system, as it provides a common starting point between all security monitoring and testing systems, in order to have a clearer understanding of an organization’s actual risk-score, it is important for security teams to put a little business perspective into analysis as this will provide a clearer view.
This involves analyzing risks according to the organization by having an accurate view of the information held on the network and having a clear understanding of how it is stored, protected and accessed.
Security teams should then take this data and use it to make meaningful and informed decisions to help improve the organization’s overall security by focusing on the issues which pose the biggest risk to them.