Light Dark
August 22, 2022 By Mark Stone 3 min read
Data Protection
Risk Management

In the cybersecurity field, large databases of known threats and vulnerabilities have often been an essential resource. These catalogs show you where to focus your efforts. They’re also a good tool for prioritizing patches to increase security and mitigate the risk of disaster. As a result, these databases need to be reliable and up-to-date and use the correct criteria to assess vulnerabilities.

In November, the Cybersecurity and Infrastructure Security Agency (CISA) updated its catalog of known vulnerabilities and made it public. The agency shared its own deadlines for patches, first intended for federal agencies but useful as guidelines for the private sector as well. The CISA list is a noteworthy change in the cybersecurity space because it uses slightly different criteria than the Common Vulnerability Scoring System (CVSS), another key resource for assessing cyber vulnerabilities.

How are the two systems different? Take a look at the pros and cons of moving to the CISA catalog and away from the CVSS, and what it all means for security-conscious organizations.

CISA or CVSS?

One of the key differences between the CISA catalog and the CVSS is the criteria for prioritizing patches. CISA recommends patches based on exploitability, while the CVSS bases its recommendations on criticality.

Let’s explore those two concepts:

  • Exploitability — categorizing vulnerabilities and recommending patches based on actual exploits that have taken place.

  • Criticality — categorizing vulnerabilities and recommending patches based on a severity score assigned by the CVSS.

What is the CVSS scoring system?

To understand how the CVSS works, we need to examine its scoring system.

The CVSS is an open framework designed to catalog software vulnerabilities according to their characteristics and how severe they are. It uses three groups of metrics: Base, Temporal and Environmental.

  • The Base Score rates the severity of a vulnerability from zero to 10 according to its intrinsic properties, factors that stay constant at all times. In other words, in a worst-case scenario with no mitigation whatsoever, this is how severe the vulnerability will likely be.

  • The Temporal Score refers to factors that change over time. That also means it needs to be re-checked on an ongoing basis. As the temporal metric changes, it also modifies the Base Score.

  • The Environmental Score is influenced by the computing environment within which the vulnerability exists. This is up to each organization to tweak according to their own security measures. It affects both the Base and Temporal Scores.

The CVSS works well as a method of monitoring and ranking vulnerabilities on an ongoing basis according to a range of factors. It’s often accurate and reliable and can be used by all types of businesses or agencies.

However, the CVSS has its weak points.

The drawbacks of CVSS

The main drawback of the CVSS scoring system is that it relies on what the scorer knows about a vulnerability. So, if you have a lot of information on a specific vulnerability and how it relates to your own systems, it’s possible to produce a very accurate and trustworthy CVSS result to make confident security decisions and take actions in the right order.

However, if you lack information about that vulnerability, the CVSS score will not be accurate.

So, what can businesses do instead? Is the CISA catalog a better alternative in many cases?

Why switch to CISA?

The CISA catalog has one major advantage over the CVSS, prompting many companies to switch to it now that the catalog is open to the public. In essence, the CISA captures Common Vulnerability Exposures (CVEs) only when they have active exploits underway. This means it focuses on the most urgent patches — those that an attacker is exploiting.

The big difference here is that CISA puts exploitability first. No matter how severe a CVE is according to the CVSS (criticality), what really matters is whether an attacker is actually exploiting it. A possible risk, no matter how severe, is always less urgent than a proven, ongoing issue.

The CISA catalog also addresses a constant challenge for security teams. It helps justify taking business-critical apps offline to apply patches and issue updates.

Fixing a security issue often involves downtime, and even small amounts of downtime can cause significant disruption and cost money. Security teams must strike a balance between patching vulnerabilities and ensuring business continuity. However, it can be difficult to gain support for a patch that isn’t seen as highly necessary and urgent. Showing the CVE according to CISA can help.

Striking a balance

With all that said, the CISA catalog isn’t perfect. After all, many unexploited vulnerabilities exist in the wild worthy of attention and prioritization. Just because a vulnerability has not yet been proven as exploited, does that mean it’s always less severe? Of course not. In fact, it could be the most dangerous of all.

Again, security teams must find the right balance. Both the CVSS and the CISA catalog are valuable resources for assessing vulnerabilities and choosing what to put first regarding patches and security procedures.

In the end, don’t think of the CISA catalog as an alternative to the CVSS. Instead, look at it as a useful addition. Both criticality and exploitability are important metrics to consider when assessing threats. What’s more, security teams still need to exercise their own judgment and discretion when evaluating vulnerabilities. It’s up to you to decide where to focus your efforts and when to justify downtime.

 |  |  |  |  |  | 
Mark Stone

More from Data Protection
December 20, 2024

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

December 3, 2024

Third-party access: The overlooked risk to your data protection plan

3 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors. The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In…

November 19, 2024

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature