In the cybersecurity field, large databases of known threats and vulnerabilities have often been an essential resource. These catalogs show you where to focus your efforts. They’re also a good tool for prioritizing patches to increase security and mitigate the risk of disaster. As a result, these databases need to be reliable and up-to-date and use the correct criteria to assess vulnerabilities.
In November, the Cybersecurity and Infrastructure Security Agency (CISA) updated its catalog of known vulnerabilities and made it public. The agency shared its own deadlines for patches, first intended for federal agencies but useful as guidelines for the private sector as well. The CISA list is a noteworthy change in the cybersecurity space because it uses slightly different criteria than the Common Vulnerability Scoring System (CVSS), another key resource for assessing cyber vulnerabilities.
How are the two systems different? Take a look at the pros and cons of moving to the CISA catalog and away from the CVSS, and what it all means for security-conscious organizations.
CISA or CVSS?
One of the key differences between the CISA catalog and the CVSS is the criteria for prioritizing patches. CISA recommends patches based on exploitability, while the CVSS bases its recommendations on criticality.
Let’s explore those two concepts:
What is the CVSS scoring system?
To understand how the CVSS works, we need to examine its scoring system.
The CVSS is an open framework designed to catalog software vulnerabilities according to their characteristics and how severe they are. It uses three groups of metrics: Base, Temporal and Environmental.
-
The Base Score rates the severity of a vulnerability from zero to 10 according to its intrinsic properties, factors that stay constant at all times. In other words, in a worst-case scenario with no mitigation whatsoever, this is how severe the vulnerability will likely be.
-
The Temporal Score refers to factors that change over time. That also means it needs to be re-checked on an ongoing basis. As the temporal metric changes, it also modifies the Base Score.
-
The Environmental Score is influenced by the computing environment within which the vulnerability exists. This is up to each organization to tweak according to their own security measures. It affects both the Base and Temporal Scores.
The CVSS works well as a method of monitoring and ranking vulnerabilities on an ongoing basis according to a range of factors. It’s often accurate and reliable and can be used by all types of businesses or agencies.
However, the CVSS has its weak points.
The drawbacks of CVSS
The main drawback of the CVSS scoring system is that it relies on what the scorer knows about a vulnerability. So, if you have a lot of information on a specific vulnerability and how it relates to your own systems, it’s possible to produce a very accurate and trustworthy CVSS result to make confident security decisions and take actions in the right order.
However, if you lack information about that vulnerability, the CVSS score will not be accurate.
So, what can businesses do instead? Is the CISA catalog a better alternative in many cases?
Why switch to CISA?
The CISA catalog has one major advantage over the CVSS, prompting many companies to switch to it now that the catalog is open to the public. In essence, the CISA captures Common Vulnerability Exposures (CVEs) only when they have active exploits underway. This means it focuses on the most urgent patches — those that an attacker is exploiting.
The big difference here is that CISA puts exploitability first. No matter how severe a CVE is according to the CVSS (criticality), what really matters is whether an attacker is actually exploiting it. A possible risk, no matter how severe, is always less urgent than a proven, ongoing issue.
The CISA catalog also addresses a constant challenge for security teams. It helps justify taking business-critical apps offline to apply patches and issue updates.
Fixing a security issue often involves downtime, and even small amounts of downtime can cause significant disruption and cost money. Security teams must strike a balance between patching vulnerabilities and ensuring business continuity. However, it can be difficult to gain support for a patch that isn’t seen as highly necessary and urgent. Showing the CVE according to CISA can help.
Striking a balance
With all that said, the CISA catalog isn’t perfect. After all, many unexploited vulnerabilities exist in the wild worthy of attention and prioritization. Just because a vulnerability has not yet been proven as exploited, does that mean it’s always less severe? Of course not. In fact, it could be the most dangerous of all.
Again, security teams must find the right balance. Both the CVSS and the CISA catalog are valuable resources for assessing vulnerabilities and choosing what to put first regarding patches and security procedures.
In the end, don’t think of the CISA catalog as an alternative to the CVSS. Instead, look at it as a useful addition. Both criticality and exploitability are important metrics to consider when assessing threats. What’s more, security teams still need to exercise their own judgment and discretion when evaluating vulnerabilities. It’s up to you to decide where to focus your efforts and when to justify downtime.