top of page
  • Writer's pictureA&P

Vulnerability Ratings


When you conduct a vulnerability scan of your systems, things will come with ratings. You will also see ratings when a software vendor releases a patch to fix vulnerabilities. You can look up your software in the National Vulnerability Database to see if there are any vulnerabilities in your version and what the rating is.


Ratings are a measure of how severe of an issue the problem is. It helps people understand what is an emergency drop everything and patch right away type issue versus something that is a lower priority. Usually things are a higher priority when they offer some method of external comprise or if it involves remote access. More information about vulnerability ratings can be found at https://nvd.nist.gov/vuln-metrics/cvss


Ratings are generalized based on what the vulnerability can do. Your individual risk may be higher or lower then the general risk rating. Some reasons it might be higher is where it is placed in your organization. Something that is facing the internet is constantly bombarded by attempts to break in. If a vulnerability becomes known in that software, it will likely be exploited. It is at higher risk then something that is air-gapped from the internet with no direct network connections.


One of the factors that is not included is the use of the software in life safety systems. With the introduction of the Internet of Things (IoT), software can have a life safety impact. At a conference several years ago, they was a talk about lower level vulnerabilities that could be exploited to open and close a garage door at a car wash. In those instances the purpose the software was used for could affect life safety. An attacker could close the garage door on unsuspecting members of the public injuring or even killing them. The purpose that software was used for in that instance made the lower level vulnerabilities have a higher rating in that particular instance.


Ratings are an important guidance to how worried and how fast you need to patch. However, they are a starting point guidance. You have to look at how you use the software and add risk factors to make a determination for your organization.

7 views0 comments

Recent Posts

See All

コメント


bottom of page