Collaborative Learning Discussion – Summary Post

This week, students were expected to post a summary post for the Collaborative Learning Discussion 1, taking into consideration the first initial post from week 1 and peer responses in week 2.

Post

The Common Vulnerability Scoring System (CVSS) is a method used to supply a qualitative measure of severity. The method consists of three metric groups: Base, Temporal, and Environmental. However, Spring et all (2021) argue that the CVSS algorithm is not justified, either formally or empirically, due to the lack of justification for the formula. CVSS is designed to identify the technical severity of a vulnerability. What people seem to want to know, instead, is the risk a vulnerability or flaw poses to them or how quickly they should respond to a vulnerability.

Although discussed and agreed by fellow students, CVSS is a well-established method, with obvious loopholes surrounding risk assessment. As recommended by Spring et al (2021) SSVC (Stakeholder Specific Vulnerability Categorization) is aimed to assist in prioritizing the remediation of a vulnerability based on the impact exploitation would have on the particular organization(s). This is done by taking 4 possible decisions, Track, Track*, Attend and Act.

SSVC is grabbing more attention from the cyber security industry. Some even suggest ‘flipping’ from CVSS to SSVC when it comes to vulnerability decision making as a primary method. (Keizman, O. 2024) Although there are no set rules as to which methodology can be used where and when. When it comes to vulnerabilities and risk assessment, it is important to have a good understanding of infrastructures, identify potential risks and chose the best methodology, as one or multiple, to best suit the organizational needs.

References:

Spring, J., Hatleback, E., Householder, A., Manion, A. and Shick, D. (2021). Time to Change the CVSS? IEEE Security & Privacy, [online] 19(2), pp.74–78. doi: https://doi.org/10.1109/msec.2020.3044475 [Accessed 28 March 2024].

CISA Stakeholder-Specific Vulnerability Categorization Guide. (n.d.). Available at: https://www.cisa.gov/sites/default/files/publications/cisa-ssvc-guide%20508c.pdf. [Accessed 28 March 2024].

Keizman, O. (2024). The SSVC risk prioritization method: what it is, when to use it, and alternatives. [online] Vulcan Cyber. Available at: https://vulcan.io/blog/the-ssvc-risk-prioritization-method-what-it-is-when-to-use-it-and-alternatives/. [Accessed 28 March 2024].