RSA: Major companies tout new vulnerability rating system

The Common Vulnerability Scoring System was unveiled yesterday

Leading IT companies including Cisco Systems Inc., Microsoft Corp. and Symantec Corp. are promoting a rating system that will standardize severity ratings of software vulnerabilities.

A plan for the new system, called the Common Vulnerability Scoring System (CVSS), was unveiled at the RSA Conference in San Francisco yesterday. If widely adopted, it would provide a common language for describing the seriousness of computer security vulnerabilities and replace vendor-specific rating systems, according to Mike Schiffman, a researcher at Cisco.

Schiffman offered a presentation on the system at RSA.

The new scoring system is part of a project by the National Infrastructure Advisory Council to create a global framework for disclosing information about security vulnerabilities. Representatives from government and the IT industry contributed to the CVSS proposal, including eBay Inc., Qualys Inc., Internet Security Systems Inc. and Mitre Corp.

NIAC, part of the U.S. Department of Homeland Security, is concerned with the security of information systems that support critical infrastructure in areas such as banking, finance, transportation, energy and manufacturing.

CVSS will use standard mathematical equations to calculate the severity of new vulnerabilities based on basic information such as whether a vulnerability can be remotely exploited or whether an attacker must log into a vulnerable system before being able to exploit a security hole, said Gerhard Eschelbeck of Qualys.

CVSS ratings will also consider timing issues, such as whether an exploit or a software patch for a specific vulnerability is available, and how long it has been available, he said.

The new rating system will be akin to the Common Vulnerabilities and Exposures (CVE) database maintained by Mitre, which provides standard identifiers and information about software holes. As with CVE, vendors will most likely use CVSS ratings as a common base of reference but continue to offer their own analysis or threat assessments, Eschelbeck said.

IT security vendors will use the CVSS in their products to evaluate and prioritize software vulnerabilities. Vendors will also be asked to provide ways for customers to enter information about their IT environment, such as the number and type of systems affected, before calculating a final CVSS rating, he said.

For example, a remotely exploitable vulnerability that affects a worker's desktop system might have a different CVSS rating than one that affects a critical payroll or human resources server, Eschelbeck said.

The system will be different from rating systems such as Symantec's ARIS attack scoring system because it will not be used as a warning system for malicious-code outbreaks, according to Schiffman's presentation.

CVSS has backing from major IT players and a detailed plan for implementation. However, the system doesn't yet have a home. Organizers are looking for companies or organizations, such as NIAC or Mitre, to host CVSS and provide portals for Internet users and IT vendors to access the information, Eschelbeck said.

Once it has a host and is widely implemented, CVSS will give IT administrators and vendors an easy way to assess the relative risk of software vulnerabilities and to prioritize patching on large networks, he said.

"It used to be that people never patched their systems, and that didn't work. Then the common wisdom was that you had to patch everything, and that wasn't realistic, either," Eschelbeck said.

"The truth is somewhere in the middle of the two, and prioritization is the key to that," he said.

5 power user tips for Microsoft OneNote
Shop Tech Products at Amazon