1. CVSS Score
Purpose: Provides an open standard for assessing the severity of vulnerabilities.Factors Considered: CVSS evaluates several metrics:
Base Score: Reflects intrinsic characteristics of the vulnerability (e.g., attack vector, complexity, privileges required, user interaction, etc.).
Temporal Score: Accounts for factors that change over time (e.g., exploit maturity or remediation level).
Environmental Score: Adjusts for the impact in a specific user environment (e.g., criticality of assets affected).
Scale: Numeric score between 0.0 (low severity) and 10.0 (critical severity), often mapped to qualitative severity levels (Low, Medium, High, Critical).
Standardized and Transparent: Used across industries, making it a common reference point.
Limitations:
--> Doesn't account for the context or asset-specific impact without environmental adjustments.
--> Static and doesn't reflect the real-time threat landscape.
2. Qualys Assigned Score
Purpose: Prioritizes vulnerabilities based on a combination of technical and business risk, considering the specific threat landscape.
Factors Considered: CVSS base scores as input.
Real-world exploitability: Whether exploits are available in the wild or being actively exploited.
Business Context: Asset criticality (e.g., is the asset internet-facing?).
Risk Intelligence: Insights from Qualys' threat and vulnerability intelligence feeds.
Scale: Qualys may use custom risk levels (e.g., numeric scores or categories like "Critical," "High," etc.).
Dynamic and Contextual: Continuously updated based on new threat data, making it more actionable for prioritization.
Limitations:
--> Proprietary: Can vary between organizations depending on the Qualys configuration.
--> May differ significantly from CVSS due to added contextualization.
Example:
A vulnerability might have a CVSS Base Score of 9.8 (Critical) due to its inherent characteristics, but Qualys could assign a lower score if:
--> No known exploits exist in the wild.
--> The affected system is not mission-critical or accessible.
Conversely, Qualys might increase the score for a vulnerability with a lower CVSS score if:
--> Exploits are actively circulating.
--> The asset is critical or exposed to external threats.
Both scores serve complementary purposes: CVSS provides a standardized baseline, while Qualys offers actionable prioritization tailored to real-world contexts.
Happy Learning !!
VulnerabilityManagement CyberSecurity
No comments:
Post a Comment