Security Risk Management – Week 8 – Collaborative Learning Discussion 2 – Peer Responses
Collaborative Learning Discussion 2 – Peer Responses
Collaborative Learning Discussion – Peer Responses
In this week, the collaborative learning discussion continued and students were instructed to provide at least two responses to other peer’s posts. The following represent the two peer responses:
Peer Response – Mohammed Younes
Hello Mohammed,
Thank you for your informative post. CVSS was first introduced in 2005 by the U.S National Infrastructure Advisory Council (NIAC) to simplify the generation of consistent scored that could accurately reflect the existing risks and vulnerability to a specific IT environment. (Gillis, A., Bacon, M. 2023)
Although it has been around for some time, I do agree with Spring et al (2021) points that the current version is not adequate enough to be used as a method for risk assessment. In the environment that we live in now, with digital threats constantly evolving, there are more things to consider than just scoring a vulnerability. Having said that, it is still a good method to refer to and consider due to its well-established reputation. Moving forward, Spring et al (2021) recommended CVSS as a solution. When it comes to vulnerabilities and risk assessment, there are no limitations as to how many methodologies can be used. It is important to have a good understanding of infrastructures, identify potential risks and chose the best methodology, as one or multiple, to best suit the organizational needs.
References:
Spring, J., Hatleback, E., Householder, A., Manion, A. and Shick, D. (2021). Time to Change the CVSS? IEEE Security & Privacy, [online] 19(2), pp.74–78. doi: https://doi.org/10.1109/msec.2020.3044475 [Accessed 28 March 2024].
Gillis, A., Bacon, M. (2023). What is the CVSS (Common Vulnerability Scoring System)? TechTarget. Available at: https://www.techtarget.com/searchsecurity/definition/CVSS-Common-Vulnerability-Scoring-System. [Accessed 28 March 2024].
Peer Response – Sudesh Naidoo
Hello Sudesh,
Thank you for your informative post. I also agree with your view that the current CVSS system has flaws and limitations, as discussed by Spring et al (2021). In the ever-evolving current digital landscape, it is difficult to focus on just one aspect. Having said that, CVSS has been around for some time and with its well-established reputation, it is something I would still refer to when it comes to cyber security.
Spring et al (2021) recommend SSVC as a solution, however, depending on the size and the type of the enterprise, there are many others which can be implemented and/or combined with the management of another indicator, for example EPSS (Exploit Prediction Scoring system), focused on assessing the probability of exploitation of a vulnerability in the next 30 days. (Tarlogic, 2023) This combined methods can be maneuvered to best suit the enterprise needs and requirements.
References:
Spring, J., Hatleback, E., Householder, A., Manion, A. and Shick, D. (2021). Time to Change the CVSS? IEEE Security & Privacy, [online] 19(2), pp.74–78. doi: https://doi.org/10.1109/msec.2020.3044475 [Accessed 28 March 2024].
Team, C. 4 A. (2023). SSVC: How to make decisions about IT vulnerabilities. [online] Tarlogic Security. Available at: https://www.tarlogic.com/blog/ssvc/ [Accessed 28 Mar. 2024].