ITL Bulletin for October 2007

ITL Bulletin for October 2007
ITL Bulletin for October 2007

Forwarded from: Elizabeth Lennon 



Shirley Radack, Editor
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
U.S. Department of Commerce

To protect the security of their information technology (IT) systems, 
managers must continually identify and assess the vulnerabilities of 
their systems. Severe weaknesses in IT systems security often stem from 
software or system implementation flaws. These weaknesses, or 
vulnerabilities, make the systems attractive targets for attacks that 
can seriously change or harm the confidentiality of data, the integrity 
of data, and the availability of systems. Because they may have many 
different hardware and software platforms and many different threat 
issues to deal with, managers need a way to prioritize the 
vulnerabilities of their systems and to address those vulnerabilities 
that pose the greatest risk.

The Information Technology Laboratory of the National Institute of 
Standards and Technology (NIST) recently issued information about the 
Common Vulnerability Scoring System (CVSS), which provides an open 
framework for scoring the characteristics and impacts of IT 
vulnerabilities. The CVSS enables IT managers, vendors, information 
providers, and researchers to exchange information about IT 
vulnerabilities using a common language and scoring scheme, and to take 
needed actions to improve the security of their systems.

NISTIR 7435, The Common Vulnerability Scoring System (CVSS) and Its 
Applicability to Federal Agency Systems

The Common Vulnerability Scoring System (CVSS) and Its Applicability to 
Federal Agency Systems, written by Peter Mell and Karen Scarfone of NIST 
and by Sasha Romanosky of Carnegie Mellon University, was issued in 
August 2007 as NIST Interagency Report (NISTIR) 7435. The report 
explains the CVSS and discusses the available methods and issues related 
to scoring systems for vulnerabilities.

NISTIR 7435 helps IT managers to make sense of vulnerability data and to 
take appropriate actions that will protect their systems and 
information. NISTIR 7435 describes in detail the three groups of metrics 
that compose the CVSS and provides specific examples of how to perform 
the CVSS scoring procedures. It provides guidelines on the scoring 
process and defines the equations used to generate three groups of 
metrics:  base, temporal, and environmental scores. Also included in the 
report are examples of the scoring to help explain the process and the 
use of the equations.

The appendices provide information about electronic in-print resources 
that are available to help organizations implement the CVSS. Also 
included in the appendices are an abbreviation list and an acronym list. 
NISTIR 7435 is available from NIST's website at 

Scoring for Vulnerabilities

Both commercial and noncommercial organizations have developed 
vulnerability "scoring" systems that are available for use. These 
various systems have different advantages and disadvantages, and they 
often differ in what they measure. Some of these scoring systems provide 
only one approach for measuring the impact of vulnerabilities, and they 
may assume that the impact of vulnerabilities is uniform for all 
individuals and organizations.

The CVSS provides a more consistent approach to scoring vulnerabilities. 
It is managed by the Forum of Incident Response and Security Teams 
(FIRST), an international confederation of computer incident response 
teams that handle computer security incidents and promote incident 
prevention programs. The CVSS is a free and open standard, is available 
to all to use and implement, and is not limited just to members of 
FIRST. To further common understanding of the scores that users obtain 
with the CVSS, FIRST asks that organizations publishing vulnerability 
scores conform to the guidelines described in NISTIR 7435 and provide 
both the score and the scoring vector in their published results.

The CVSS is useful for organizations such as:

-  Producers of vulnerability bulletins in both nonprofit and commercial 
   organizations that provide CVSS temporal scores to users;

-  Software application vendors who provide CVSS information to their 
   customers to enable them to manage their IT risks more effectively;

-  Private sector organizations that use the CVSS internally to make 
   informed vulnerability management decisions;

-  Vulnerability scanning and management organizations that scan 
   networks for IT vulnerabilities and make CVSS scores available to 
   user organizations;

-  Security risk management firms that use CVSS scores as input to 
   report to their customers about their risk or threat levels; and

-  Researchers who perform statistical analyses on vulnerabilities and 
   vulnerability properties.

The Common Vulnerability Scoring System version 2.0 website
is at 

The Scoring System

The CVSS consists of three groups of scores: Base, Temporal, and 
Environmental. Each group produces a numeric score ranging from 0.0 to 
10.0 and a vector, a compressed textual representation that reflects the 
values of the metrics used to derive the score.

The Base group of metrics represents the intrinsic and fundamental 
characteristics of a vulnerability that are constant over time and user 

The Temporal group represents the characteristics of a vulnerability 
that change over time but not among user environments.

The Environmental group represents the characteristics of a 
vulnerability that are relevant and unique to a particular user's 

The detailed process for scoring is explained in Section 3 of NISTIR 
7435. Scoring can be done by any of the user organizations mentioned 
above. In general, vulnerability bulletin analysts, security product 
vendors, and application vendors, with detailed knowledge of the 
characteristics of vulnerabilities, usually cite the base and temporal 
metrics. If they desire, users can use the CVSS to check a vendor's 
calculations of vulnerabilities. Users generally cite the environmental 
metrics because they are best able to assess the potential impact of a 
vulnerability within their own environments.

There are clear benefits to be gained from using the CVSS, which allows 
managers to convert masses of vulnerability data into distilled 
information that they can directly apply to improve the security of 
systems. Specific benefits include:

Standardized Vulnerability Scores: When an organization normalizes 
vulnerability scores across all of its software and hardware platforms, 
it can leverage a single vulnerability management policy. This policy 
may be similar to a service level agreement (SLA) that states how 
quickly a particular vulnerability must be validated and remediated.

Open Framework: Users can see the individual characteristics that are 
used to derive a score for a vulnerability when the CVSS is used. This 
common framework helps to avoid user confusion when a vulnerability is 
assigned an arbitrary score under a different system.

Prioritized Risk: When the environmental score is computed for a 
vulnerability, users can put the information into the context of their 
systems, determine the actual risk that the vulnerability poses, and 
judge the impact of the vulnerability in relation to other 

The CVSS and the National Vulnerability Database (NVD)

The NIST National Vulnerability Database (NVD) is a comprehensive cyber 
security vulnerability database that integrates all publicly available 
federal government vulnerability resources and provides references to 
industry resources. The NVD website is The NVD is 
based on and synchronized with the Common Vulnerabilities and Exposures 
(CVE) vulnerability dictionary of software flaws. NVD provides 
vulnerability summaries for all CVE vulnerabilities. The NVD includes a 
fine-grained search engine that allows users to search for 
vulnerabilities by various characteristics.

The NVD provides specific CVSS scores for publicly known 
vulnerabilities. With this link, the NVD provides valuable information 
to information system managers, users, system administrators, and other 
security professionals to help them learn about vulnerabilities and take 
steps to correct them.

For all of the vulnerabilities that are listed, NVD uses the scoring 
guidelines detailed in NISTIR 7435 to create CVSS base metric scores. A 
CVE identifier is assigned to each new vulnerability. NVD analysts 
review the new vulnerability, assign a CVSS base score, and add the 
information to the corresponding CVE entry within the database. The CVSS 
base scores in the NVD are available for use by federal agencies, so 
that they do not have to manually calculate their own base scores. These 
scores are also incorporated into many commercial security tools. 
Agencies may wish to ask their security tool vendors if they provide the 
NVD CVSS scores within their products. NVD is publicly available, so any 
organization or individual may freely use its CVSS base scores. The NVD 
CVSS web page is available at 

Having the base metric score listed for each CVE entry in NVD enables 
users to quickly determine the severity of each vulnerability. However, 
when the temporal and environment metrics are missing, an incomplete 
picture may result. To remedy this, NVD provides a web-based CVSS 
version 2.0 calculator at the web page listed above.

When users select a vulnerability from the NVD and click on the "Base 
score" attribute, they are directed to the calculator and the base 
metric scores will be filled in automatically, leaving the temporal and 
environmental metrics to be completed by the user. The Base metrics can 
be altered by users to suit their specific needs should they wish to do 
so. Once all the information has been submitted, users are presented 
with an adjusted score that more directly reflects the impact of the 
vulnerability on their environment. Commercial tools may also offer the 
ability to customize NVD CVSS base scores with environment-specific 

CVSS was designed to be used by any organization. This flexibility is a 
noteworthy strength of the system, but it does require that different 
sectors and organizations approach the use of CVSS with consideration of 
their specific requirements.

Modifying Scores with FIPS 199 Ratings

The Federal Information Security Management Act (FISMA) of 2002 requires 
all federal agencies to develop, document, and implement agency-wide 
information security programs and to provide information security for 
the information and information systems that support the operations and 
assets of the agency, including those systems provided or managed by 
another agency, contractor, or other source. To help agencies carry out 
these policies, FISMA called for NIST to develop federal standards for 
the security categorization of federal information and information 
systems according to risk levels and for minimum security requirements 
for information and information systems in each security category. 
Federal Information Processing Standard (FIPS) 199, Standards for the 
Security Categorization of Federal Information and Information Systems, 
issued in February 2004, was the first standard that was specified by 
FISMA. FIPS 199 requires agencies to categorize their information 
systems as low-impact, moderate-impact, or high-impact for the security 
objectives of confidentiality, integrity, and availability.

Federal agencies can use the following FIPS 199 security categories with 
the NVD CVSS scores to obtain impact scores that are tailored to each 
agency's environment.

The potential impact is low if the loss of confidentiality, integrity, 
or availability could be expected to have a limited adverse effect on 
organizational operations, organizational assets, or individuals.

The potential impact is moderate if the loss of confidentiality, 
integrity, or availability could be expected to have a serious adverse 
effect on organizational operations, organizational assets, or 

The potential impact is high if the loss of confidentiality, integrity, 
or availability could be expected to have a severe or catastrophic 
adverse effect on organizational operations, organizational assets, or 

The CVSS generally follows the FIPS 199 definitions for the impact 
subscore modifiers in the environmental metric, so federal agencies can 
customize CVSS scores to apply to specific government systems. However, 
CVSS does not require that these definitions be used by all and provides 
them merely as a default; other organizations using the CVSS may choose 
to define the impact subscore modifiers in ways that more closely suit 
their particular business goals.

For federal agencies, the FIPS 199 definitions can apply, and the 
potential impact levels for federal information systems can be 
considered when agencies are calculating environmental metric scores for 
vulnerabilities. For example, an information system may have potential 
impact levels of high for confidentiality and integrity, and moderate 
for availability according to the FIPS 199 definitions of potential 
impacts. These values can then be input into the CVSS calculator for the 
environmental metric impact subscore modifiers. Once these values have 
been entered, the final CVSS score will be adjusted appropriately, 
resulting in a CVSS score that is specifically tailored to the target 
environment. However, a CVSS score only assesses the relative severity 
of a vulnerability when compared to other vulnerabilities and does not 
take into account any security controls that might mitigate attempts to 
exploit the systems, such as firewalls, antivirus software, intrusion 
detection and prevention systems, and authentication mechanisms. CVSS 
scores are intended as an aid in making decisions about security 
controls and are only one element of many factors that should be 

Using CVSS with Security Content Automation Protocol

The Security Content Automation Protocol (SCAP) is a method for using 
specific standards to enable automated vulnerability management, 
measurement, and policy compliance evaluation, such as FISMA compliance. 
Specifically, SCAP is a suite of selected open standards that enumerate 
software flaws, security-related configuration issues, and product 
names; measure systems to determine the presence of vulnerabilities; and 
provide mechanisms to rank (score) the results of these measurements to 
evaluate the impact of discovered security issues. SCAP defines how 
these standards are combined.  CVSS is one of the six vulnerability 
management standards that compose SCAP. More information on SCAP and how 
it benefits federal agencies and other organizations is available at 

Recommendations for Using the CVSS

NIST recommends that federal agencies and other organizations adopt the 
Common Vulnerability Scoring System (CVSS), which provides a standard 
method to rate the severity of vulnerabilities within their systems. The 
National Vulnerability Database (NVD) provides a standard set of federal 
government-validated CVSS scores. Together, when incorporated into 
security products, the NVD and the CVSS enable organizations to 
understand the impact of the vulnerabilities on their systems. 
Furthermore, the impact ratings will be the same even when the 
vulnerabilities are discovered by multiple security tools used in 
different organizations. This allows for a dependable comparison of the 
severity of vulnerabilities between federal government systems and 
between the government and other organizations. By watching the CVSS 
scores of discovered vulnerabilities over time, organizations can more 
easily identify vulnerability trends.  Then with an effective security 
program implemented, organizations will see improvements in their 
vulnerability metrics over time.

More Information

NIST publications assist organizations in planning and implementing a 
comprehensive approach to information security. For information about 
NIST standards and guidelines that are referenced in the CVSS guide, as 
well as other security-related publications, see NIST's web page at 

Publications specifically related to the CVSS include:

NIST Special Publication (SP) 800-51, Use of the Common Vulnerability 
and Exposures (CVE) Vulnerability Naming Scheme, advises federal 
agencies to acquire and use security-related IT products that are 
compatible with the CVE vulnerability naming scheme, and to periodically 
monitor their systems for applicable vulnerabilities, using automated 
software tools.

NIST SP 800-40, version 2.0, Creating a Patch and Vulnerability 
Management Program, provides guidance on management practices that can 
prevent the exploitation of IT vulnerabilities.

Any mention of commercial products or reference to commercial 
organizations is for information only; it does not imply recommendation 
or endorsement by NIST nor does it imply that the products mentioned are 
necessarily the best available for the purpose.

Elizabeth B. Lennon
Information Technology Laboratory
National Institute of Standards and Technology
100 Bureau Drive, Stop 8900
Gaithersburg, MD 20899-8900
Telephone (301) 975-2832
Fax (301) 975-2378

CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - 

Site design & layout copyright © 1986-2014 CodeGods