Customize your monitored Products by adding an Environmental CVSS vector

Yes, it’s done! Now, you an customize your monitored products and add, for each one, a CVSS Environmental Vector! But, wait! What is an Environmental Vector and what it can do for you? Simple, lower or higher the score of an Alert, based on YOUR Environment!

The basis

Starting with the base, here is the definition of the CVSS Scoring system:

CVSS is composed of three metric groups: Base, Temporal, and Environmental, each consisting of a set of metrics. These metric groups are described as follows:

  • Base: represents the intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments.
  • Temporal: represents the characteristics of a vulnerability that change over time but not among user environments.
  • Environmental: represents the characteristics of a vulnerability that are relevant and unique to a particular user’s environment.

What is an Environmental vector

The Environmental is described as: “Different environments can have an immense bearing on the risk that a vulnerability poses to an organization and its stakeholders. The CVSS environmental metric group captures the characteristics of a vulnerability that are associated with a user’s IT environment. Since environmental metrics are optional, they each include a metric value that has no effect on the score. This value is used when the user feels the particular metric does not apply and wishes to "skip over" it.

Why using it

Each product that you have, is not affected the same way by a Security Alert. A simple example, could be Firefox. You can have it on a computer, directly connected to the internet, and another one, on a bunker, which can only let you browse “internal content”. As you can see, an exploit cannot affect theses two products the same way. That’s why Environmental vector is used!

How it works

The Environmental vector is divided in metrics:

  • Collateral Damage Potential (CDP):This metric measures the potential for loss of life or physical assets through damage or theft of property or equipment. The metric may also measure economic loss of productivity or revenue. Naturally, the greater the damage potential, the higher the vulnerability score. Clearly, each organization must determine for themselves the precise meaning of “slight, moderate, significant, and catastrophic”.
  • Target Distribution (TD):This metric measures the proportion of vulnerable systems. It is meant as an environment-specific indicator in order to approximate the percentage of systems that could be affected by the vulnerability. The greater the proportion of vulnerable systems, the higher the score.
  • Security Requirements (CR, IR, AR):These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user’s organization, measured in terms of confidentiality, integrity, and availability, That is, if an IT asset supports a business function for which availability is most important, the analyst can assign a greater value to availability, relative to confidentiality and integrity. Each security requirement has three possible values: low, medium, or high.The greater the security requirement, the higher the score ( remember that medium is considered the default ).

In short, the Environmental vector can Lower or Higher the Score of an Alert for a particular product, in a particular environment! A Low Alert can become High, for you! Because environment matters!

If you want to read some documentation, you can reach the CVSS website or play with our CVSS Calculator. By the way, and to be clear, all of our Alerts and Products (CPE) are managed by theses Vectors.

How to use

Jump directly to your Monitoring Panel and customize your Product/Version! Simple isn’t it? Documentations are inside, of course! And you could add the same product as long as you have different environment vectors for them!

With that, we compute for you a new “score” for all affected alerts. Alerts and CPE (Product / Version) are now affected by your environmental vector(s). And if you have more than one CVSS for a product, we display all information and all possibilities!

Others

We have made some changed to the title of the alerting system and added a date to the end of the email.

And of course, we have made some little change on Alerts and CPE Pages, worked on optimizations, changed the login system with your email as login instead of your username and removed the Capthca... And Yes, we have changed the Facebook comment to the Disqus comment system...

Next steps

More customizations are coming, like changing the alerting email "To" and perhaps, if we can, let you specify at what score you would like to be email like "only if score > xx"...

Want some improvement? Fell free to comment this post ;)

Again, thank you! Hope you like this new feature!
Security-Database Team