The Forum of Incident Response and Security Teams (FIRST) on Nov. 1 formally published CVSS 4.0 that touts finer granularity for base metrics and also gears them for operational technology (OT), industrial control systems (ICS) and the Internet of Things (IoT).
Now the standard for measuring the technical severity of a vulnerability, CVSS 1.0 was rolled out in February 2005. Today, nearly all security teams use CVSS scores to properly assess and prioritize their vulnerability management processes and prepare defenses against cyberattacks.
“CVSS 4.0 adds new focus on resiliency, which is often overlooked in the initial stages of an exploit, as well as starting to address the IoT/OT/ICS area that continues to set new records for number of attacks," said Bud Broomhead, chief executive officer at Viakoo. “Organizations concerned about their IoT/OT/ICS attack surface need to use CVSS as a base to build on.”
Callie Guenther, senior manager, cyber threat research at Critical Start added that most notably, CVSS 4.0 revises its nomenclature, placing a larger emphasis on distinct scores such as Base, Base + Threat, and Base + Environmental. Guenther said the Base Metric Group sees pivotal alterations, with a refined User Interaction metric and the removal of the Scope metric.
“Temporal Metrics have been aptly renamed to Threat Metrics, emphasizing real-time vulnerabilities,” said Guenther. “The framework's emphasis on the potency of threat intelligence is unmistakable. Regarding the journey of the CVSS, it's been illuminating tracking its trajectory since its inception. As the cyber threat landscape has grown in complexity and scale, evolution has been not just necessary, but imperative.”
Mayuresh Dani, manager, threat research at Qualys, pointed out two challenges he sees with CVSS 4.0: No. 1, to get real use out of CVSS 4.0, Dani said organizations need to maintain an Asset Management Database (used in Environmental Metric Values) and Threat Intelligence Data (used in Threat Metric Values). In its absence, the true impact of the vulnerability will not be seen in the customers environment, said Dani.
Second, although the new calculator is robust and elaborate, of the five new metrics, Base and Supplemental must be provided by the supplier, and the remaining three, Environmental (Modified Base Metrics), Environmental (Security Requirements) and Threat Metrics, rely on the end user.
“Unless organizations have the manpower to add this data for use in the vulnerability management processes, these fields will not be used, which will in turn just leverage the supplier-provided scores,” said Dani.