Explore chapters and articles related to this topic
Dynamic Risk Management
Published in Nicholas Kolokotronis, Stavros Shiaeles, Cyber-Security Threats, Actors, and Dynamic Mitigation, 2021
Ioannis Koufos, Nicholas Kolokotronis, Konstantinos Limniotis
CVSS has three main benefits comparing to other scoring systems. First, it's an open framework that provides daily updates for all the entries and new entries as well. Second, the vulnerability scores are standardized for either open source or commercial platforms. Well-known vulnerability databases on the Internet such as National Vulnerability Database (NVD) incorporate the CVSS metrics on their feed. In addition, when organizations use a common algorithm for scoring vulnerabilities, there is a single vulnerability management policy. Finally, CVSS enables the prioritization of risks. Given a vulnerability, computing the environmental score (ES) provides a better understanding of the overall risk. CVSS provides three groups of metrics, namely base, temporal, and environmental metrics.
Modeling Software Vulnerability Correction/Fixation Process Incorporating Time Lag
Published in Adarsh Anand, Mangey Ram, Recent Advancements in Software Reliability Assurance, 2019
J. Kaur, Adarsh Anand, O. Singh
For the purpose of verification, the proposed models have been tested on five data sets. The data sets were extracted from the Common Vulnerabilities and Exposure Database (CVE) (www.cvedetails.com). The vulnerability discovery data was utilized to create the vulnerability fixation data. For this purpose, the vulnerabilities were categorized on the basis of the Common Vulnerability Scoring System, that is the CVSS score. CVSS assigns a score to all vulnerabilities based on numerous factors, which in turn help the firm to gauge the risk that a particular vulnerability poses. The CVSS score can be used to further categorize the vulnerabilities qualitatively. The vulnerabilities with CVSS scores between 0.1 and 3.9 are considered to be low severity vulnerabilities; the vulnerabilities with CVSS scores between 4.0 and 6.9 are considered to be medium severity vulnerabilities; the vulnerabilities with CVSS scores between 7.0 and 8.9 are considered to be high severity vulnerabilities; and the vulnerabilities with CVSS scores between 9.0 and 10 are considered to be critical severity vulnerabilities.
Categorization of Vulnerabilities in a Software
Published in Adarsh Anand, Mangey Ram, System Reliability Management, 2019
Navneet Bhatt, Adarsh Anand, Deepti Aggrawal, Omar H. Alhazmi
The discovery process attempts to classify all the potential vulnerabilities not at the same time. The vulnerabilities detected over time can be categorized based on the common vulnerability scoring system (CVSS) that is deployed to calculate the severity rating of each vulnerability. The scoring procedure is governed by the Forum of Incident Response and Security Teams and aims to remediate those vulnerabilities that pose the highest risk by providing a normalized score across all hardware and software platforms. The CVSS classifies the vulnerabilities based on various characteristics to assess the severity of a vulnerability. The scoring system assists in investigating several parameters that quantify the intrinsic and penetration capabilities of a vulnerability for breaching a loophole. The CVSS utilizes both qualitative and quantitative characteristics to measure the impact of vulnerability in a software product. The National Vulnerability Database organized by CVE Details (www.cvedetails.com) provides the score report and type of each vulnerability present in a software product. There are about ten types of vulnerabilities that are majorly discovered and are attributed by CVE Details. A brief review of various vulnerability types is given in Section 9.1.1.
Software security evaluation using multilevel vulnerability discovery modeling
Published in Quality Engineering, 2023
Ruchi Sharma, Avinash K. Shrivastava, Hoang Pham
In this article, we have considered that the vulnerability pool in software consists of vulnerabilities of different severity levels and they show different behavior over time. Hence, instead of modeling the process of vulnerability discovery using a single function distribution, we have divided our vulnerability database into three categories: High, Medium and Low severity levels. Based on the common vulnerability scoring system (CVSS), high corresponds to the severity level of [7–10), medium category consists of vulnerabilities with a severity level of [3–7) and low corresponds to vulnerabilities with a severity level [0–3). The CVSS provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high) to help organizations properly assess and prioritize their vulnerability management processes (https://www.first.org/cvss/). In our proposed model these 3 categories have been modeled independently and the final prediction is done by combining them to form a single function with three variables. Now we will describe the notations, assumptions and the framework of the proposed model.
Assessing smart light enabled cyber-physical attack paths on urban infrastructures and services
Published in Connection Science, 2022
Ioannis Stellios, Kostas Mokos, Panayiotis Kotzanikolaou
The Common Vulnerability Scoring System (CVSS) is used to assess the severity of Common Vulnerabilities and Exposures3 (CVE) software vulnerabilities. As our underlying methodology is based on CVSS metrics, we briefly explain the notation used in these documents. For further details, we refer to FIRST.Org (2019). Software vulnerabilities in CVE/CVSS are defined based on exploitability and impact factors. The former include: the Attack Vector (AV) (i.e. where should an attacker be placed to be able to exploit the vulnerability) with possible values (N)etwork, (A)djacent network, (L)ocal and (P)hysical; the Attack Complexity (AC) with values (L)ow or (H)igh; the Privileges Required (PR) with values (N)one, (L)ow or (H)igh; the User Interaction (UI) with values (N)one or (R)equired; and the Scope (S) with values (U)nchanged or (C)hanged. Impact metrics consist of Confidentiality (C), the Integrity (I) and the Availability (A) impact, in the scale of (N)one, (L)ow or (H)igh.
An adaptive defense mechanism to prevent advanced persistent threats
Published in Connection Science, 2021
Yi-xi Xie, Li-xin Ji, Ling-shu Li, Zehua Guo, Thar Baker
Preparation stage. To achieve the vulnerability relationship among available instances, an automated generation tool is employed to scan the tenant subnet and plot network graph thoroughly. Subsequently, vulnerability scanning tools (e.g. Nessus) start analyzing the system. Finally, to compute the risk degree, the online scoring calculator of the Common Vulnerability Scoring System (CVSS) is adopted (Schiffman, 2020). CVSS is a vulnerability assessment framework used commonly for the IT system to obtain an objectively quantified vulnerability numerical value. IBAAT system can develop a Bayesian attack graph and updating the structure and parameter periodically.