The State of Common Vulnerability Scoring System in the 2020s

The Common Vulnerability Scoring System (CVSS) has evolved, with CVSS v3.1 enhancing usability and clarity since its publication in June 2019. Looking ahead, CVSS v4.0 aims to expand into OT and Cloud Services, introduce new metrics like Threat Intelligence, and simplify scoring while maintaining accuracy. Approved and proposed work items reflect ongoing efforts to refine the system for better risk assessment in cybersecurity. Stay updated on the future of CVSS v4.0.

• Vulnerability Scoring
• CVSS
• Cybersecurity
• Threat Intelligence
• CVSS v4.0

swedberg_i Follow

Uploaded on Oct 03, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Common Vulnerability Scoring System The State of CVSS for the 2020s Dave Dugal Juniper Networks Dale Rich DTCC Co-chairs of CVSS Special Interest Group

2. Agenda Current Status of CVSS v3.1 The Hopes and Dreams of CVSS v4.0 Highlights: Approved and Proposed Work Items How to Get Involved Open Q&A

3. Current Status of CVSS CVSS v3.1 published in June 2019 Improves upon v3.0 without introducing new metrics or values o Allows for frictionless adoption of the new standard Usability was a prime consideration o Improve the clarity of concepts introduced in CVSS v3.0 o Improve the overall ease of use of the standard o Clarify definitions with better explanations of existing base metrics o Lots and lots of examples of Scope described in Section 3.5 of the User Guide Defined the CVSS Extensions Framework CVSS Glossary of Terms expanded and refined

4. Where weve been and where were going CVSS v3.x Objectives o The challenges of virtualization (Scope) o Increased objectivity and repeatability o Removed the middle 90% Impact issue CVSS v4.0 Looking Forward o Threat Intelligence metrics Exploitability vs. Likelihood of Attack o Cloud Services and OT o Concepts of Survivability and Resilience to measure recovery effort o Active vs. Passive User Interaction o Attack Complexity vs. Attack Requirements o Nomenclature

5. The Hopes and Dreams of CVSS v4.0 Expand applicability from classic IT to OT and Cloud Services Operationalizing Threat Intelligence Considering a new Severity Metric Group o Category of Exploit o Kinetic Impact o Collateral Damage Active vs. Passive User Interaction Attack Complexity vs. Attack Requirements o Motility o Persistence Note: CVSSv4 targeting June 2021 FIRST Conference to announce publication

6. CVSS v4.0: Approved Proposals Temporal Metric Group is replaced by the Threat Metric Group User Interaction (Active vs. Passive) Attack Requirements base metric o Added to compliment Attack Complexity Clarification of Scope Removal of Report Confidence and Remediation Level

7. CVSS v4.0: Proposed Work Items New Severity Metric Group Support for Unknown (X) values in Base Score New Threat Intelligence Confidence Likelihood of exploit at scale Resilience Ease of Mitigation Kinetic Impact Collateral Damage Nomenclature Check out https://bit.ly/cvssv4-workitems for complete list

8. Get Involved! The CVSS SIG holds weekly conference calls to discuss improvements to the standard Meetings to discuss CVSS v4.0 occur on Thursday at 13:00 ET Become an active Participant in the meetings, or just join our mailing list as an Observer Details of how to get involved are on the CVSS home page: https://www.first.org/cvss Or rock it old school, and drop us an e-mail: cvss@first.org