Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • IT Management

    Ciscos Free Threat-Alerts Service Uses CVSS

    Written by

    Ryan Naraine
    Published May 27, 2005
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Network security powerhouse Cisco has rolled out a new enterprise-focused threat advisory service with full support for CVSS, aka the Common Vulnerability Scoring System, the fledgling industry attempt to standardize the way security flaws are rated.

      Cisco Systems Inc.s MySDN (My Self-Defending Network) marks the first public appearance of CVSS in a flaw-warning service.

      The MySDN service is a free Web resource set up to deliver advisories about network vulnerabilities and threats that arent caused by bugs in Cisco products, and forms part of the San Jose, Calif.-based companys ambitious ATD (Adaptive Threat Defense) initiative.

      Ciscos adoption of CVSS means that flaw warnings will include two severity scores derived strictly from metrics and formulas. For example, a recent alert for a denial-of-service bug in implementations of the TCP/IP protocol adds CVSS scoring alongside the traditional “medium” risk severity.

      The CVSS scoring system is the brainchild of the U.S. Department of Homeland Securitys NAIC (National Infrastructure Advisory Council) and is backed by several high-profile technology firms, including Cisco, Microsoft Corp., eBay Inc., Qualys Inc. and Internet Security Systems Inc.

      At its core, the CVSS framework is designed to provide end users with an overall composite score representing the severity and risk of a vulnerability. The metrics and formulas that power the scoring system have been divided into three categories—base, temporal and environmental—and promise a vendor-neutral solution to the problem of incompatible severity rating systems.

      Heres how it works: Base Metrics, which never changes, is set by the vendor or researcher issuing the advisory and is computed by a strict set of mathematical algorithms. Temporal Metrics, also calculated from metrics and formulas, contain characteristics of the vulnerability that evolve over the lifetime of the security flaw.

      The last component, Environmental Metrics, is not included in the advisory. Instead, it is computed by the end user and contains characteristics of the vulnerability that are tied to an implementation in a specific environment.

      CVSS is not meant to serve as a threat scoring system (or DHS color warning system), a vulnerability database or a real-time attack scoring system. Instead, backers say CVSS offers the perfect model to provide end users with an overall composite score representing the severity and risk of a vulnerability.

      The project recently found a home with FIRST.org, a nonprofit made up of incident response and security teams worldwide, and supporters expect researchers and vendors to begin following Ciscos lead to make CVSS the de facto standard for severity ratings.

      /zimages/5/28571.gifClick here to read more about Ciscos Adaptive Threat Defense initiative.

      Mike Caudill, who sits on FIRST.orgs board of directors, believes that widespread adoption of CVSS will remove the existing subjectivity from ratings and lessen the tension between software vendors and private researchers that discover flaws.

      Ideally, Caudill said CVSS should complement Mitres CVE (Common Vulnerabilities and Exposures), which has been widely used to standardize the names for all publicly known vulnerabilities and security exposures.

      “Were hoping to get all the response teams internationally to try it out and start using it. There are a handful of organizations and companies trying out CVSS internally to get a feel for the system. We expect to start seeing public implementations as everyone becomes more comfortable,” Caudill said in an interview with Ziff Davis Internet News.

      FIRST.org has set up a special interest group to evangelize CVSS, and a kickoff meeting is scheduled for the end of June to provide an update on public implementations, he said.

      Next Page: Other vendors adopt CVSS.

      Other Vendors Adopt CVSS

      Besides Cisco, at least two vendors have announced plans to roll out public support for CVSS in the coming months. Qualys Inc., which sells on-demand vulnerability management service to enterprise customers, will add CVSS-based scores to its flagship Qualys Guard solution.

      “Right now, were using a proprietary scoring system that rates vulnerabilities on a scale of 1-5. This summer, well be adding support for CVSS and well be recommending it highly for our customers,” said Gerhard Eschelbeck, chief technology officer and vice president of engineering at Qualys.

      “We have a big opportunity to create a universally valid scoring system that is generally accepted in the world,” Eschelbeck declared. “Were excited by the fact that CVSS now has a new home at FIRST.org and were looking forward to seeing others push ahead with implementations.”

      iDefense Inc., of Reston, Va., is also testing CVSS internally and plans to add CVSS scores to its alerts soon. iDefense, which buys the rights to information on security flaws found by underground researchers, will also offer CVSS scores alongside its own proprietary system, said Sunil James, director of vulnerability intelligence.

      /zimages/5/28571.gifPaying for flaws pays off for iDefense. Click here to read more.

      In an interview, James said internal testing of CVSS shows the system was “very consistent” with iDefenses own approach, which rates flaws on a tiered scale from minimal to extreme. “Were hoping it will eventually turn into a standard but that means that everyone has to get on board and start testing it.”

      For CVSS to take off, the concept must win acceptance from the big software vendors and security-alerts aggregators.

      Microsoft Corp., which has a history of disagreeing with private researchers on the severity of flaws in its products, doesnt appear to be in a rush to adopt CVSS.

      “There is no new news from Microsoft on this. The company has not made any decisions to adopt the CVSS ratings at this time,” a spokesperson said in brief statement sent to Ziff Davis Internet News.

      Microsoft uses a proprietary severity-rating system that is publicly available on its Web site.

      The federally funded U.S CERT/CC (Computer Emergency Response Team/Coordination Center) is involved with the early work on CVSS, but there are no immediate plans for public implementation. “Part of this work includes evaluation of CVSS for possible use at CERT/CC,” a spokesperson explained.

      Secunia Inc., an alerts aggregator best known for tracking vulnerabilities in more than 4,500 pieces of software and operating systems, does not believe CVSS offers an improvement over its existing rating system.

      “While I see certain interesting perspectives of the CCVS, I still believe that it attempts to take into account too many factors, which too often cant be reliably assessed or which very much depend on individuals perception of certain issues,” said Thomas Kristensen, CTO at Secunia.

      Kristensen argued that rating of vulnerabilities should merely take into account the factors that can be reliably determined. “This basically boils down to who can exploit this, where can it be exploited from, and what is the ultimate impact. Naturally, it is also interesting if a vulnerability is fixed or if an appropriate workaround is available, but it doesnt change the rating of the issue; if you are vulnerable then the risk remains the same whether the patch is available or not,” he said.

      Kristensen acknowledged that a common rating system could provide an improvement over the existing situation, in which different systems lead to researchers exaggerating the extent of a flaw and vendors often downplaying issues.

      He said Secunia does not plan to use CVSS. “We have tested it and find that our current rating system is more suitable for Secunia and our customers. One of the things Secunia is widely acknowledged for is the Secunia rating system, ranging from Not Critical to Extremely Critical. We also know that a large number of our customers who previously used a competing solution found our ratings to be better and more understandable,” Kristensen added.

      “I see no reason why Secunia at present should change to or implement a new rating system.”

      iDefenses James believes Secunia should reconsider that decision, arguing that the perceived weaknesses in the CVSS proposal could be fixed. “I look at CVSS as a more granular version of what vendors are trying to do. It will help customers to better understand what vendors are thinking,” he said.

      /zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Ryan Naraine
      Ryan Naraine

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×