August 22, 2022 By Mark Stone 3 min read

In the cybersecurity field, large databases of known threats and vulnerabilities have often been an essential resource. These catalogs show you where to focus your efforts. They’re also a good tool for prioritizing patches to increase security and mitigate the risk of disaster. As a result, these databases need to be reliable and up-to-date and use the correct criteria to assess vulnerabilities.

In November, the Cybersecurity and Infrastructure Security Agency (CISA) updated its catalog of known vulnerabilities and made it public. The agency shared its own deadlines for patches, first intended for federal agencies but useful as guidelines for the private sector as well. The CISA list is a noteworthy change in the cybersecurity space because it uses slightly different criteria than the Common Vulnerability Scoring System (CVSS), another key resource for assessing cyber vulnerabilities.

How are the two systems different? Take a look at the pros and cons of moving to the CISA catalog and away from the CVSS, and what it all means for security-conscious organizations.

CISA or CVSS?

One of the key differences between the CISA catalog and the CVSS is the criteria for prioritizing patches. CISA recommends patches based on exploitability, while the CVSS bases its recommendations on criticality.

Let’s explore those two concepts:

  • Exploitability — categorizing vulnerabilities and recommending patches based on actual exploits that have taken place.

  • Criticality — categorizing vulnerabilities and recommending patches based on a severity score assigned by the CVSS.

What is the CVSS scoring system?

To understand how the CVSS works, we need to examine its scoring system.

The CVSS is an open framework designed to catalog software vulnerabilities according to their characteristics and how severe they are. It uses three groups of metrics: Base, Temporal and Environmental.

  • The Base Score rates the severity of a vulnerability from zero to 10 according to its intrinsic properties, factors that stay constant at all times. In other words, in a worst-case scenario with no mitigation whatsoever, this is how severe the vulnerability will likely be.

  • The Temporal Score refers to factors that change over time. That also means it needs to be re-checked on an ongoing basis. As the temporal metric changes, it also modifies the Base Score.

  • The Environmental Score is influenced by the computing environment within which the vulnerability exists. This is up to each organization to tweak according to their own security measures. It affects both the Base and Temporal Scores.

The CVSS works well as a method of monitoring and ranking vulnerabilities on an ongoing basis according to a range of factors. It’s often accurate and reliable and can be used by all types of businesses or agencies.

However, the CVSS has its weak points.

The drawbacks of CVSS

The main drawback of the CVSS scoring system is that it relies on what the scorer knows about a vulnerability. So, if you have a lot of information on a specific vulnerability and how it relates to your own systems, it’s possible to produce a very accurate and trustworthy CVSS result to make confident security decisions and take actions in the right order.

However, if you lack information about that vulnerability, the CVSS score will not be accurate.

So, what can businesses do instead? Is the CISA catalog a better alternative in many cases?

Why switch to CISA?

The CISA catalog has one major advantage over the CVSS, prompting many companies to switch to it now that the catalog is open to the public. In essence, the CISA captures Common Vulnerability Exposures (CVEs) only when they have active exploits underway. This means it focuses on the most urgent patches — those that an attacker is exploiting.

The big difference here is that CISA puts exploitability first. No matter how severe a CVE is according to the CVSS (criticality), what really matters is whether an attacker is actually exploiting it. A possible risk, no matter how severe, is always less urgent than a proven, ongoing issue.

The CISA catalog also addresses a constant challenge for security teams. It helps justify taking business-critical apps offline to apply patches and issue updates.

Fixing a security issue often involves downtime, and even small amounts of downtime can cause significant disruption and cost money. Security teams must strike a balance between patching vulnerabilities and ensuring business continuity. However, it can be difficult to gain support for a patch that isn’t seen as highly necessary and urgent. Showing the CVE according to CISA can help.

Striking a balance

With all that said, the CISA catalog isn’t perfect. After all, many unexploited vulnerabilities exist in the wild worthy of attention and prioritization. Just because a vulnerability has not yet been proven as exploited, does that mean it’s always less severe? Of course not. In fact, it could be the most dangerous of all.

Again, security teams must find the right balance. Both the CVSS and the CISA catalog are valuable resources for assessing vulnerabilities and choosing what to put first regarding patches and security procedures.

In the end, don’t think of the CISA catalog as an alternative to the CVSS. Instead, look at it as a useful addition. Both criticality and exploitability are important metrics to consider when assessing threats. What’s more, security teams still need to exercise their own judgment and discretion when evaluating vulnerabilities. It’s up to you to decide where to focus your efforts and when to justify downtime.

More from Data Protection

Why safeguarding sensitive data is so crucial

4 min read - A data breach at virtual medical provider Confidant Health lays bare the vast difference between personally identifiable information (PII) on the one hand and sensitive data on the other.The story began when security researcher Jeremiah Fowler discovered an unsecured database containing 5.3 terabytes of exposed data linked to Confidant Health. The company provides addiction recovery help and mental health treatment in Connecticut, Florida, Texas and other states.The breach, first reported by WIRED, involved PII, such as patient names and addresses,…

Addressing growing concerns about cybersecurity in manufacturing

4 min read - Manufacturing has become increasingly reliant on modern technology, including industrial control systems (ICS), Internet of Things (IoT) devices and operational technology (OT). While these innovations boost productivity and streamline operations, they’ve vastly expanded the cyberattack surface.According to the 2024 IBM Cost of a Data Breach report, the average total cost of a data breach in the industrial sector was $5.56 million. This reflects an 18% increase for the sector compared to 2023.Apparently, the data being stored in industrial control systems is…

3 proven use cases for AI in preventative cybersecurity

3 min read - IBM’s Cost of a Data Breach Report 2024 highlights a ground-breaking finding: The application of AI-powered automation in prevention has saved organizations an average of $2.2 million.Enterprises have been using AI for years in detection, investigation and response. However, as attack surfaces expand, security leaders must adopt a more proactive stance.Here are three ways how AI is helping to make that possible:1. Attack surface management: Proactive defense with AIIncreased complexity and interconnectedness are a growing headache for security teams, and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today