Vulnerability Scoring Methodologies

00:00

All right. So welcome to less than 3.5. We're gonna be talking about vulnerability scoring methodologies. Uh, this is really it's one of my favorite topics within vulnerability management. I think it's so important to understand what vulnerability scoring means and how to use it to your advantage.

00:16

Eso In this video, we're gonna talk about some of the different vulnerability scoring methodologies, Stevie SS, which is obviously huge and vulnerability management.

00:24

A tenable VP are, ah, las burst grading and bold cat. And these air really just to give you an idea of all the different tools and methodologies that are out there, that can really help you understand, Ah, vulnerability management for your environment.

00:40

So a CV assess the common vulnerability scoring system.

00:43

So I'm a big fan of CBSS. Uh, it's It's the industry standard for providing a numeral numerical score for vulnerabilities. What I think sometimes people don't realize is that it's a score for a vulnerability. It's not meant to be taken at,

01:00

you know, face value. It's meant to be used to help aid in your vulnerability management and remediation efforts,

01:06

so they'll score something at a 10. But it will be based on you know how someone would be able to use this vulnerability in the environment. Eso current versions at 3.1 um, you're gonna be ranked on low, medium high in critical.

01:21

And then those scores are all based on based temporal and environmental metrics. I won't go too far into that, but that's just how they actually calculate what the score will be and all the vulnerabilities air scored in stored in a the N v D, which is the national vulnerability database. So,

01:38

uh, CBss is kind of our common system for how we

01:42

identify criticality of a single vulnerability.

01:47

So tenable v p. R. I mostly bring this up not to be product specific, but just there are many other tools out there that can help you do this to This is just one I chose to kind of discuss, because it it helps give you an idea of your specific environment so that you can tailor

02:04

vulnerability scoring on metrics into your environment

02:08

so it stands for vulnerability. Priority reading. So tenable uses this kind of combination of machine learning throat until, um, and then you can actually go in and say, you know, this system is more important than this system. You know, A is more important than be

02:23

s. So that way you can use predictive prioritization. That's their term for kind of how you figure out

02:30

how to prioritize your vulnerability remediation efforts.

02:34

Um,

02:35

so you're determining theoretical risk from actual risk. So that way you can kind of help figure out what's going on in your specific environment. Um,

02:45

I mentioned here Rapid seven has similar methodologies, a similar way to kind of prioritize risk and vulnerability management practices because their lots of tools out there, I think it's just important to highlight that you kind of go that extra step. You add that extra maturity when you go from just looking at a vulnerability score

03:02

toe, adding that threat intel into the model.

03:07

A wasp. A wasp is great. Um,

03:09

these are It's a way to kind of like look at risk. Creating a wasp is a lot of great things. They do their top 10 you know, vulnerabilities or types of vulnerabilities that they're seeing, but they also have a risk rating. There's more information on this to where you can identify the risk. So we're looking at?

03:28

What's the threat, agent? What's the attack

03:30

Vector? What are we looking at here? You're adding all these things together to kind of create your risk rating.

03:38

So then we're gonna look at what's the likelihood? You'll likelihood, I think is really important and not talked about enough because the likelihood of the attack is just is important. Let's say I'm a small business and I've got this big application. Um, you know, But I have one customer and it's a low profile customer. It's not, you know,

03:57

we're not talking about, you know, having this like, huge business, you know, we're not talking about like a Fortune 500 company. We're just talking about a company just getting started out. The likelihood of an attack. It would have to be a pretty targeted attack if they were looking at that specific software or if they had a vendetta against your specific company. So the likelihood of

04:16

and exploit is probably a lot lower than, say, a bigger organization.

04:20

Factors for estimating impact. So what's the impact? Technical is a business. How is that actually going to impact my system

04:29

and then, of course, severity. So what? What's the severity off this attack, a zit informal isn't repeatable. Is someone constantly just skating my network? Uh, s I'm not really as worried about that as I am about someone who is targeting a specific, you know, server or application on. But what do I fix your star with? The most severe,

04:48

you know, how do I fix that

04:50

on? And then you're gonna customize that based on what your organization is and what's important to you. So adding those weight factors, um, giving weight to system's giving weight to vulnerabilities that you can say what's most important?

05:04

Ah, vole cat. I like to bring this up because a lot of times when we talk about vulnerability Manager, we talk on Lee about OS or application level patches, but this is really important. Vote Kat can help you identify software security errors. It's kind of like a taxonomy, um,

05:23

which includes software security, Miskin, fake configurations.

05:27

What we're talking about vulnerability, prioritization.

05:30

So phone cat looks at order, importance all these different variables when we're looking at software security, So understanding time and state ap I abuse encapsulation all of those things. I think it's just a great resource

05:46

for someone who's interested in learning more about software security errors and wants to get a fuel for what might actually be out there. What are the important security threats when talking about a secure code?

05:57

So in this video we talked about what CVS is. CBSs is what it means to vulnerability. Scoring what tenable V. P R. Is. And some other tools basically, how machine learning can assist in vulnerability management and remediation efforts.

06:13

What the oh ah, spirits. Creating is how you can use it in your environment on. And then why I saw for securities important vulnerability, scoring and just being aware of some tools on some repositories out there that are available for review