Computer networks and systems have become vital components for management of businesses worldwide. Unfortunately, computer networks and systems may be vulnerable to various types of attacks that have varying levels of impact. Because the vulnerabilities of computer networks and systems can be extensive and because the impact of these vulnerabilities varies widely, a need has arisen for scoring the vulnerabilities in order to allow businesses to assess priorities and resolve the vulnerabilities in the most efficient manner.
Accordingly, a scoring system was developed known as the Common Vulnerability Scoring System (CVSS). The CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat. Scores are calculated based on a formula that depends on several metrics that approximate ease of exploit and the impact of exploit. CVSS is divided into three scores that are combined when possible to create an overall score with a value from 0 to 10. Multiple versions of CVSS have been developed. Based on the CVSS version two framework, a commonly used currently existing vulnerability scoring model includes a rank-ordered, five-point scale. A purpose of the system is to provide repeatable accurate measurement of vulnerabilities and the ability for users to view underlying vulnerability characteristics that generated the scores.
While the ranking system is simple and easily understood, the five-point scale creates very broad categories of vulnerabilities and does not provide a sufficient level of detail for effective prioritization of remediation actions. Larger organizations have networks with hundreds of thousands of servers and workstations. A critical vulnerability that impacts potentially tens of thousands of servers at once requires additional differentiation factors beyond a simple five-point scale.
The inability to prioritize remediation can lead to vulnerabilities lingering within network environments longer than necessary, delays in remediation timelines due to lack of guidance to the Lines of Business (LOBs), and lack of confidence in the ability for the cybersecurity personnel to effectively manage vulnerabilities throughout the network environments.
Additionally, the currently existing model fails to take an adequate number of risk measures into account. There are a variety of risks associated with any potential vulnerability, including operational, financial, and reputational. These risk measures are not part of the current model. Accordingly, remediation of vulnerabilities is done without regard for underlying risk measures. While there are environmental score metrics that can be included as part of the CVSS framework, even when fully utilized the framework does not take into account risk outside the realm of information technology such as financial loss if an application is not able to properly function.
FIG. 8 illustrates the shortcomings of existing models as described above. While existing models are able to categorize vulnerabilities as critical, severe, high, medium, or low, the existing model suffers from numerous deficiencies including: (1) breadth of categories; (2) lack of prioritization; (3) lingering vulnerabilities; (4) delayed remediation; and (5) loss in cybersecurity confidence.
In order to address the deficiencies of currently available scoring methods, a system is needed that includes a greater number of vulnerability rankings that would allow for creation of reasonable and achievable service level agreements. Furthermore, a system is needed that facilitates inclusion of additional risk factors into the scoring model including, for example, application criticality, potential business/operational impact, and network location. Furthermore, the system should take into account changes in regulations, policies, risk measurements, or industry standards and should be easily integrated with existing automated scoring systems. Additionally, the system should include a visualization layer that provides for generation of prioritized remediation lists. Furthermore, the system should interface with remediation resources so that remediation can be expedited and automatically implemented.