Network security powerhouse Cisco has rolled out a new enterprise-focused threat advisory service with full support for CVSS, aka the Common Vulnerability Scoring System, the fledgling industry attempt to standardize the way security flaws are rated.
Cisco Systems Inc.s MySDN (My Self-Defending Network) marks the first public appearance of CVSS in a flaw-warning service.
The MySDN service is a free Web resource set up to deliver advisories about network vulnerabilities and threats that arent caused by bugs in Cisco products, and forms part of the San Jose, Calif.-based companys ambitious ATD (Adaptive Threat Defense) initiative.
Ciscos adoption of CVSS means that flaw warnings will include two severity scores derived strictly from metrics and formulas. For example, a recent alert for a denial-of-service bug in implementations of the TCP/IP protocol adds CVSS scoring alongside the traditional “medium” risk severity.
The CVSS scoring system is the brainchild of the U.S. Department of Homeland Securitys NAIC (National Infrastructure Advisory Council) and is backed by several high-profile technology firms, including Cisco, Microsoft Corp., eBay Inc., Qualys Inc. and Internet Security Systems Inc.
At its core, the CVSS framework is designed to provide end users with an overall composite score representing the severity and risk of a vulnerability. The metrics and formulas that power the scoring system have been divided into three categories—base, temporal and environmental—and promise a vendor-neutral solution to the problem of incompatible severity rating systems.
Heres how it works: Base Metrics, which never changes, is set by the vendor or researcher issuing the advisory and is computed by a strict set of mathematical algorithms. Temporal Metrics, also calculated from metrics and formulas, contain characteristics of the vulnerability that evolve over the lifetime of the security flaw.
The last component, Environmental Metrics, is not included in the advisory. Instead, it is computed by the end user and contains characteristics of the vulnerability that are tied to an implementation in a specific environment.
CVSS is not meant to serve as a threat scoring system (or DHS color warning system), a vulnerability database or a real-time attack scoring system. Instead, backers say CVSS offers the perfect model to provide end users with an overall composite score representing the severity and risk of a vulnerability.
The project recently found a home with FIRST.org, a nonprofit made up of incident response and security teams worldwide, and supporters expect researchers and vendors to begin following Ciscos lead to make CVSS the de facto standard for severity ratings.
Mike Caudill, who sits on FIRST.orgs board of directors, believes that widespread adoption of CVSS will remove the existing subjectivity from ratings and lessen the tension between software vendors and private researchers that discover flaws.
Ideally, Caudill said CVSS should complement Mitres CVE (Common Vulnerabilities and Exposures), which has been widely used to standardize the names for all publicly known vulnerabilities and security exposures.
“Were hoping to get all the response teams internationally to try it out and start using it. There are a handful of organizations and companies trying out CVSS internally to get a feel for the system. We expect to start seeing public implementations as everyone becomes more comfortable,” Caudill said in an interview with Ziff Davis Internet News.
FIRST.org has set up a special interest group to evangelize CVSS, and a kickoff meeting is scheduled for the end of June to provide an update on public implementations, he said.
Other Vendors Adopt CVSS
Besides Cisco, at least two vendors have announced plans to roll out public support for CVSS in the coming months. Qualys Inc., which sells on-demand vulnerability management service to enterprise customers, will add CVSS-based scores to its flagship Qualys Guard solution.
“Right now, were using a proprietary scoring system that rates vulnerabilities on a scale of 1-5. This summer, well be adding support for CVSS and well be recommending it highly for our customers,” said Gerhard Eschelbeck, chief technology officer and vice president of engineering at Qualys.
“We have a big opportunity to create a universally valid scoring system that is generally accepted in the world,” Eschelbeck declared. “Were excited by the fact that CVSS now has a new home at FIRST.org and were looking forward to seeing others push ahead with implementations.”
iDefense Inc., of Reston, Va., is also testing CVSS internally and plans to add CVSS scores to its alerts soon. iDefense, which buys the rights to information on security flaws found by underground researchers, will also offer CVSS scores alongside its own proprietary system, said Sunil James, director of vulnerability intelligence.
In an interview, James said internal testing of CVSS shows the system was “very consistent” with iDefenses own approach, which rates flaws on a tiered scale from minimal to extreme. “Were hoping it will eventually turn into a standard but that means that everyone has to get on board and start testing it.”
For CVSS to take off, the concept must win acceptance from the big software vendors and security-alerts aggregators.
Microsoft Corp., which has a history of disagreeing with private researchers on the severity of flaws in its products, doesnt appear to be in a rush to adopt CVSS.
“There is no new news from Microsoft on this. The company has not made any decisions to adopt the CVSS ratings at this time,” a spokesperson said in brief statement sent to Ziff Davis Internet News.
Microsoft uses a proprietary severity-rating system that is publicly available on its Web site.
The federally funded U.S CERT/CC (Computer Emergency Response Team/Coordination Center) is involved with the early work on CVSS, but there are no immediate plans for public implementation. “Part of this work includes evaluation of CVSS for possible use at CERT/CC,” a spokesperson explained.
Secunia Inc., an alerts aggregator best known for tracking vulnerabilities in more than 4,500 pieces of software and operating systems, does not believe CVSS offers an improvement over its existing rating system.
“While I see certain interesting perspectives of the CCVS, I still believe that it attempts to take into account too many factors, which too often cant be reliably assessed or which very much depend on individuals perception of certain issues,” said Thomas Kristensen, CTO at Secunia.
Kristensen argued that rating of vulnerabilities should merely take into account the factors that can be reliably determined. “This basically boils down to who can exploit this, where can it be exploited from, and what is the ultimate impact. Naturally, it is also interesting if a vulnerability is fixed or if an appropriate workaround is available, but it doesnt change the rating of the issue; if you are vulnerable then the risk remains the same whether the patch is available or not,” he said.
Kristensen acknowledged that a common rating system could provide an improvement over the existing situation, in which different systems lead to researchers exaggerating the extent of a flaw and vendors often downplaying issues.
He said Secunia does not plan to use CVSS. “We have tested it and find that our current rating system is more suitable for Secunia and our customers. One of the things Secunia is widely acknowledged for is the Secunia rating system, ranging from Not Critical to Extremely Critical. We also know that a large number of our customers who previously used a competing solution found our ratings to be better and more understandable,” Kristensen added.
“I see no reason why Secunia at present should change to or implement a new rating system.”
iDefenses James believes Secunia should reconsider that decision, arguing that the perceived weaknesses in the CVSS proposal could be fixed. “I look at CVSS as a more granular version of what vendors are trying to do. It will help customers to better understand what vendors are thinking,” he said.