Study on the distribution of CVSS environmental score

Han, Li; Xi, Rongrong; Li, Zhao

doi:10.1109/iceiec.2015.7284502

Cited by 5 publications

(4 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Using the work hour ranges mentioned above, the vulnerability repair time (T FIX ) was divided into three subcategories in consideration of the number of hours required for repair: T FIX MAX represents the maximum number of work hours required to fix one vulnerability and was assumed to be equal to 9 h; T FIX AVERAGE is the average number of work hours required to fix one vulnerability and was assumed equal to 4.5 h; T FIX MI N is the minimum number of work hours and is assumed equal to 1 h. Then, the equations that were used to estimate the number of work hours required to improve the security of ICT infrastructure were derived by implementing the models discussed in the Related Work section. Assuming that all vulnerabilities of a critical (X C ), high (X H ), and medium (X M ) severity must be fixed by administrators, the number of work hours required to improve security with the suggested models can be expressed as the sum of the constituent time spans required to fix each type of vulnerability complemented by the time needed for information processing and other operations, e.g., scan duration (T S ) [43,47]. Therefore, the equation used for the calculation of the time needed to eliminate all vulnerabilities with high and medium criticality with the first model (Figure 1) is expressed as follows:…”

Section: Methodsmentioning

confidence: 99%

Vulnerability Management Models Using a Common Vulnerability Scoring System

2021

View full text Add to dashboard Cite

Vulnerability prioritization is an essential element of the vulnerability management process in data communication networks. Accurate prioritization allows the attention to be focused on the most critical vulnerabilities and their timely elimination; otherwise, organizations may face severe financial consequences or damage to their reputations. In addition, the large amounts of data generated by various components of security systems further impede the process of prioritizing the detected vulnerabilities. Therefore, the detection and elimination of critical vulnerabilities are challenging tasks. The solutions proposed for this problem in the scientific literature so far—e.g., PatchRank, SecureRank, Vulcon, CMS, VDNF, or VEST—are not sufficient because they do not consider the context of the organization. On the other hand, commercial solutions, such as Nessus, F-Secure, or Qualys, do not provide detailed information regarding the prioritization procedure, except for the scale. Therefore, in this paper, the authors present an open-source solution called the Vulnerability Management Center (VMC) in order to assist organizations with the vulnerability prioritization process. The VMC presents all calculated results in a standardized way by using a Common Vulnerability Scoring System (CVSS), which allows security analysts to fully understand environmental components’ influences on the criticality of detected vulnerabilities. In order to demonstrate the benefits of using the the open-source VMC software developed here, selected models of a vulnerability management process using CVSS are studied and compared by using three different, real testing environments. The open-source VMC suite developed here, which integrates information collected from an asset database, is shown to accelerate the process of removal for the critical vulnerabilities that are detected. The results show the practicability and efficacy of the selected models and the open-source VMC software, which can thus reduce organizations’ exposure to potential threats.

show abstract

Section: Methodsmentioning

confidence: 99%

Vulnerability Management Models Using a Common Vulnerability Scoring System

2021

View full text Add to dashboard Cite

show abstract

“…OWASP publishes the Top 10 Web Application Security Risks report guiding mitigating vulnerabilities [21]. NIST's National Vulnerability Database (NVD) maintains a comprehensive repository of vulnerabilities, including the Common Vulnerabilities and Exposures (CVE) catalog and the associated Common Weakness Enumeration (CWE) [22,23].…”

Section: Introductionmentioning

confidence: 99%

Security vulnerabilities in healthcare: an analysis of medical devices and software

Mejía-Granda,

Fernández-Alemán,

Carrillo-de-Gea

et al. 2023

Med Biol Eng Comput

View full text Add to dashboard Cite

The integration of IoT in healthcare has introduced vulnerabilities in medical devices and software, posing risks to patient safety and system integrity. This study aims to bridge the research gap and provide valuable insights for addressing healthcare vulnerabilities and their mitigation mechanisms. Software vulnerabilities related to health systems from 2001 to 2022 were collected from the National Vulnerability Database (NVD) systematized by software developed by the researchers and assessed by a medical specialist for their impact on patient well-being. The analysis revealed electronic health records, wireless infusion pumps, endoscope cameras, and radiology information systems as the most vulnerable. In addition, critical vulnerabilities were identified, including poor credential management and hard-coded credentials. The investigation provides some insights into the consequences of vulnerabilities in health software products, projecting future security issues by 2025, offers mitigation suggestions, and highlights trends in attacks on life support and health systems are also provided. The healthcare industry needs significant improvements in protecting medical devices from cyberattacks. Securing communication channels and network schema and adopting secure software practices is necessary. In addition, collaboration, regulatory adherence, and continuous security monitoring are crucial. Industries, researchers, and stakeholders can utilize these findings to enhance security and safeguard patient safety. Graphical abstract

show abstract

“…However, since the introduction of CVSS there have been numerous complaints and suggestions for improvement of its calculation [3], [4], [10]- [13]. The CVSS v.2 was recently updated, and several changes were introduced, however, several researchers have shown that this scoring system does not represent the real level of associated risks as well.…”

Section: Introductionmentioning

confidence: 99%

“…Common Vulnerability Scoring System (CVSS) is used to calculate the severity of vulnerabilities [3] and risks related to IT assets [4]. Industries rely on CVSS as a standard way to capture the principal characteristics of vulnerabilities and produce a numerical score reflecting their severity.…”

Section: Introductionmentioning

confidence: 99%

A Model for Android and iOS Applications Risk Calculation: CVSS Analysis and Enhancement Using Case-Control Studies

Petraityte

Dehghantanha

Epiphaniou

2018

Advances in Information Security

View full text Add to dashboard Cite

Various researchers have shown that the Common Vulnerability Scoring System (CVSS) has many drawbacks and may not provide a precise view of the risks related to software vulnerabilities. However, many threat intelligence platforms and industry-wide standards are relying on CVSS score to evaluate cyber security compliance. This paper suggests several improvements to the calculation of Impact and Exploitability sub-scores within the CVSS, improve its accuracy and help threat intelligence analysts to focus on the key risks associated with their assets. We will apply our suggested improvements against risks associated with several Android and iOS applications and discuss achieved improvements and advantages of our modelling, such as the importance and the impact of time on the overall CVSS score calculation.

show abstract

Study on the distribution of CVSS environmental score

Cited by 5 publications

References 4 publications

Vulnerability Management Models Using a Common Vulnerability Scoring System

Vulnerability Management Models Using a Common Vulnerability Scoring System

Security vulnerabilities in healthcare: an analysis of medical devices and software

A Model for Android and iOS Applications Risk Calculation: CVSS Analysis and Enhancement Using Case-Control Studies

Contact Info

Product

Resources

About