Tuesday, 7 June 2016

CVSS scores are not enough for modern cybersecurity defense

Relying on CVSS scores to estimate the risk to security may be placing individuals and the enterprise at greater risk than believed, researchers say.

The Common Vulnerability Scoring System (CVSS) is a way to document and measure a software vulnerability’s risk factors. CVSS has undergone a number of evolutions with the latest being CVSS V3 — which includes some contextual data — but many businesses still rely on the system’s base score, which only includes a severity rating based on the technical details of the flaw.

However, without additional data, IT staff may not be addressing a vulnerability’s true scope and risk, and therefore, patching priorities may be affected.

After evaluating over a million unique vulnerabilities and more than 76,000 vulnerabilities contained in the National Vulnerability Database over a 20-year-period, researchers from NopSec concluded that CVSS scores are simply “not enough” to evaluate today’s threats properly, and the enterprise must take contexual information into account to prevent future data breaches and successful cyberattacks based on software flaws. For the full article click here 



from cyber security caucus http://ift.tt/1teg3xA
via IFTTT

No comments:

Post a Comment