SCORES - How It Works
Summary
Contemporary vulnerability scoring standards like CVSS and EPSS lack ability to be contextualized for a given organization. They do not consider contextual parameters of the IT asset on which vulnerability is identified or the nature of organization's business. Any remediation efforts that rely on these standardized scores alone may be counter-productive to overall risk reduction.
Seconize Contextual Risk Enumeration System (SCORES) is a free risk scoring tool for vulnerabilities. You can create contextualized risk scores for vulnerabilities based on your organization and Asset context using proven decision science techniques.
Background
Terms such as vulnerability, threat, risk, are used interchangeably, leading to confusion. Below are definitions of terms used in the context of SCORES.
Definitions
| Term | Definition | Examples |
|---|---|---|
| Vulnerability | A vulnerability is a weakness in an information system, system security procedures, internal controls, configurations, or implementation of IT infrastructure. | Lack of Multifactor Authentication, Lack of Encryption, Excessive Privileges, SQL Injection, log4j, HeartBleed, Follina, CVE-2022-27664 |
| Impact | An impact on organization in terms of financial, reputational losses | Loss of Productivity, Revenue Loss, Cost of investigations, Penalties, Loss of Brand Reputation |
| Threat | A threat is any circumstance or event with the potential to adversely impact organizational operations, assets, individuals through an information system. | Denial of Service, Ransomware, Phishing, Data Breach, Espionage, Outage, Theft |
| Threat Actor | A threat actor is an individual or group that can manifest a threat to the organization. | Disgruntled Employee, Cyber Criminal, Competitor, Nation State Actor, Vendor |
| Risk | A risk is a function of the likelihood of a threat event’s occurrence, by a threat actor, resulting in adverse impact | High likelihood of a cybercriminal exploiting a SQL Injection on a website resulting in Loss of Data |
| Risk Intelligence | A collection of information that enlists potential risks to the organization | A prioritized list of risks identified during an assessment. |
| Control | A technical or non-technical information security control that remediates or mitigates a potential IT risk to the organization | Anti-Virus, Firewall, SIEM, Information Security Policies, Security Awareness Trainings |
Risk Factors
Efforts like patching servers, fixing software bugs, implementing policies for remediating vulnerabilities identified are often resource intensive. Considering raw vulnerability score alone (without considering the Asset context or organization context) is not really an optimum way of prioritizing the vulnerabilities. In fact, research has shown that it is counter-productive in managing the risk [ 1 ], [ 2 ] . Additional context is needed to prioritize.
Threat Context: A vulnerability is threat only when there is an exploit available. Further the likelihood of threat increases when there is an active malware campaign exploiting this vulnerability.
Organization Context: Depending upon the Industry Type and Geographies organization operate, the likelihood of a threat occurrence due to existing vulnerabilities. This is due to nature of how threat actors operate and their motivations. For example, a malware exploiting vulnerability in SWIFT network will likely impact Banking organizations
Asset Context: Not all assets are equally prone to threats. It depends on what kind of controls exist. For example, a Windows Server behind a VPN is less likely to be exploited than a public Internet facing one. Also, not all assets are equally important, if threat event occurs the impact of such threat depends on how important is that asset. For example, SQL Injection vulnerability on an e-commerce website doing commercial transactions could be devastating whereas same vulnerability on a read-only blog will have lesser impact.
A risk scoring mechanism should consider the above contextual risk factors.
CVSS Score
Common Vulnerability Scoring System(CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental. The CVSS v3.1 Specification states that the CVSS Base Score represents only the intrinsic characteristics of a vulnerability which are constant over time and across user environments. So, at most CVSS score is a vulnerability score but not a risk score based on definitions set above. As mere presence of a vulnerability does not mean risk.
EPSS Score
Exploit Prediction Scoring System(EPSS) is an open, data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. This score may at best determine the future likelihood of a threat occurrence and still does not consider asset and organization context for qualifying as a risk score.
SCORES
Seconize Contextual Risk Enumeration System (SCORES) is a free risk scoring tool. You can create contextualized risk scores for vulnerabilities based on your organization and Asset context using proven decision science techniques. SCORES helps you to contextualize vulnerabilities to your environment.
By large the spirit of SCORES is to provide a simple, scalable way for computing contextualized risk score for vulnerabilities.
| Context | CVSS (Base Score) | EPSS | SCORES |
|---|---|---|---|
| Vulnerability | |||
| Exploit | |||
| Active Attack Campaigns | |||
| Asset Reachability | |||
| Asset Rank | |||
| Organization Profile |
How To SCORE?
You can SCORE vulnerabilities and create a personalized risk report for free in three simple steps
Step 1: Select Vulnerability
Input the CVE of interest to create a report. By default, SCORES backend is integrated with many threat-intel sources to determine whether an exploit is available and active malware campaigns exist. In case you would like to override the default values you are free to do so.
Step 2: Select Asset Context
For a given CVE, SCORES tool provides the impacted products and their respective versions by default. Select the appropriate product and versions based on the Assets in your environment.
Additionally, below are important contextual parameters that influence the risk score
- Asset Reachability: If the IT Asset is facing the Internet, then select “External”. If the Asset is inside a private network, for example behind a VPN or WAF then select “Internal”.
- Data Classification and Rating: Provide details of what type of data the Asset contains and how important is that data on a simple scale of 1 to 5 (where 5 being very important).
- Service Classification and Rating: Provide details of what type of service the Asset offers and how important is that service on a simple scale of 1 to 5 (where 5 being very important).
Step 3: Select organization Context
Threat actors often target specific industry types and geographies. Select your Industry type and Geography(s) in which your organization operates. SCORES tool matches them with threat intelligence tools to contextualize the risk score accordingly.
Next Steps
SCORES is a free risk scoring tool that considers context of vulnerability, Asset and organization to compute customized risk score. SCORES helps you to contextualize vulnerabilities to your environment, so keep calm and SCORE now!