Can you Spot the Difference?
A vulnerability’s Severity is important, but its Risk to your business is a more valuable metric when resources to fix are limited.
When talking vulnerabilities….Are all Criticals….critical?
When should you accept the CVSS Severity rating as the actual Risk to your system and when should you not?
How do you know?
What is the difference between re-evaluating the severity score and completion of a risk analysis?
Why do GovRamp and FedRamp seem to use the 2 terms interchangeably???
Well…let’s discuss…
Okay, before I get started in on this topic and show you how the CVSS base score changes depending on specific system details….let me give you a few basic facts.
People almost always use the terms Severity Rating and Risk Rating interchangeably in relationship to cybersecurity, and really all risk evaluations. Just as the words “threat” and “vulnerability” are not the same–one being the actor doing harm and the other being the weakness allowing the harm to happen– “severity” and “risk” are not the same. Severity is a measure of degree, e.g. how big is the hole in your roof, while risk is the likelihood of the threat occurring and the impact of the damage caused by the threat. Tomato, tomato???
Why does it matter? What do the experts say.
NIST
In explaining its CVE scoring methodology, NIST is very clear. I quote
“The Common Vulnerability Scoring System (CVSS) is a method used to supply a qualitative measure of severity. CVSS is not a measure of risk.“
I haven’t always been successful in pointing out this difference to others. I’ve been met with pushback on this concept, such as “Does it matter? We aren’t trying to get out of remediating the vulnerability after all.” And no, it may not matter if you are only trying to slough off work. If you seek to ignore vulnerabilities, it does not really matter what the risk or severity rating was in the first place. Perhaps you are trying to avoid remediation efforts by reducing a high severity vulnerability to a low…and perhaps you noted there was no specific limit of how many lows you can have when reporting to your PMO monthly. (Don’t be cheeky!) Okay, there is a limit to what a team can fix, but eliminating work isn’t my goal.
The reason I point this out is the same reason that NIST points it out. Severity helps with PRIORITIZATION. The CVSS scoring system is intended as a metric to help businesses prioritize vulnerability processing. So if the base score, which I will demonstrate a bit later, is Critical, High, Medium or Low and you finish out the full metrics or tweak the base metrics to match the system you have designed, the end severity rating may be different to your organization than the base score generated by NIST’s team or by industry researchers. It is important to be able to calculate the true severity, or at least verify it in the case of vulnerabilities reported to you by an automatic scanner. Maybe not every time, but certainly in the case of a critical or high vulnerability with a complex solution and 30 day time frame. Okay…but what do the compliance certifying authorities such as GovRamp and FedRamp have to say?
FedRamp & GovRamp
As the primary goal both of these entities is to verify / certify an organization’s adherence to NIST 800-53 rev. 5. IS your organization continuously monitoring for vulnerabilities and prioritizing them?
The nuances between Severity Rating and Risk Rating are less important than is the work getting seen, and done, timely. Their end goal is to affirm compliance to NIST frameworks and best practices, which is a complex process, but to sum up: their job is to make sure service providers doing business with the Federal, State, or local governments are compliant to the best practices developed by NIST. Which is to verify you are in fact, continuously fixing your vulnerabilities in a timely fashion. Their main goal make sure are you doing the work to make your service safe for government use, not to make sure your prioritize your business goals correctly. Severity and risk are basically interchangeable for their purposes. So they conflate the two terms. GovRamp simply does not mention severity scores in the Deviation request documentation–everything is called “Risk,” whereas, FedRamp wraps CVSS scoring into a starting place, but then launches into risk assessments without specifying they are different metrics.
Here are the relevant columns from the respective Organizations Vulnerability Deviation Request forms:
GovRamp DR Spreadsheet
GovRamp only uses the word “risk,” but while referring to a Risk Assessment (RA) shows you the CVSS score metrics for Severity.
FedRamp DR Spreadsheet
FedRamp uses the terms “risk rating” and “CVSS base score” so it is obvious they recognize the difference but they don’t clearly define why both are on the form. Again they show a risk reduction with the CVSS base score metrics.
So why do I care?
Wait should anyone really care about the difference in the 2 words? I mean you still have to fix the things right?
Yes.
The vulnerabilities need to be addressed but in the correct order with the correct resources. Therefore the nuance matters. So if it matters, what do we do about it. Remember the original questions:
- Are all Criticals….critical?
- When should you accept the CVSS Severity rating as the actual Risk to your system and when should you not?
- How do you know?
We will cover this and in time, you will be so good at understanding the calculations, that perhaps you won’t need to do the math…or maybe you will just have a faster way to do the math and make vulnerability prioritization…easy breezy…or well…maybe just more manageable?