The Common Vulnerability Scoring System (CVSS) is an open industry standard used to assess the severity of cybersecurity vulnerabilities. In this video, explore an overview of the CVSS and how it is used in the industry.
- [Narrator] When assessing and prioritizing vulnerabilities, they're ranked as to severity: critical, high, medium, and low. Now I'm at this web page NIST Special Publication 800-30 and I'll go to page 78. Now here we can see an assessment scale that the values give us an indication of the severity of the vulnerability. Now I'll highlight this right here. This is a high level and what it says is this exploitation could result in severe impacts. Now at the bottom, you'll see some vulnerabilities listed with a score of zero or two and most likely they've been reduced because there's been a patch that's been released or enough time has passed and that reduces the score. Now we'll go to this document. I'll scroll up and show you that. This is where we can find more detailed information on the Common Vulnerability Scoring System. I'll scroll down and enlarge this image. Now, the Common Vulnerability Scoring System is made of three metric groups that contribute to the overall score. The metrics include the Base, Temporal and Environment. Together, these will impact the overall score. Now the Base Group represents the basic qualities of a vulnerability that are constant over time and across user environments. The Temporal Group reflects the characteristics of a vulnerability that change over time but not across user environments. And the Environmental Group represents the characteristics of a vulnerability that are unique to a user's environment. Now, the Common Vulnerability Scoring System is an industry standard that rates the severity of vulnerabilities. The results are then used in the Common Vulnerabilities and Exposure. Now the Common Vulnerabilities and Exposures provide listings to aid in prioritizing vulnerabilities. And you can read more about it here. But the results of the Common Vulnerabilities and Exposures will then feed into the National Vulnerability Database. And this database is a repository that is used by security devices and software to automate vulnerability management which in turn can reduce overall risk. Now, we see how those three sites work together but let's take a look at how some results are used when calculating the severity of an issue. Then we'll go to this webpage here. Now, here we're at HackerOne. This is a site that offers a platform for a bug bounty program. They use the values of the Common Vulnerability Scoring System to provide a severity level when generating a report. Now, as you can see, the severity level can be marked by none, low, medium, high, or critical. Now we'll take a look here where we can see some examples. This is some of the hacktivity and this is produced by active hackers that go and try to look for vulnerabilities to help companies so that this doesn't lead to a major exploit. And when you take a look at this, you'll see some pretty good bounties were paid for some of these discoveries. One that I thought was significant was this one right here, where we see details about a Remote Code Execution via a Node Package Manager misconfiguration. And if you'd like, you can take a little closer look here. I just clicked on it. So I could read a little bit more about that and it's linked to an article. So the Common Vulnerability Scoring System provides insight on vulnerabilities to build awareness. Once recognized, vendors move to mitigate the vulnerability and hopefully prevent or reduce the chance of an exploit.