Experts behind IBM’s security intelligence service have called on the industry to rethink how it assesses and ranks computer vulnerabilities.
Both in open access blog postings and in a widely read annual risk report published this week, they have questioned whether the security sector is tackling the problem from the right angle.
“The security industry has countless ways to score and prioritise vulnerabilities to plan appropriate responses to them. But, are we doing enough?” one IBM security staffer has blogged. “With the sheer volume of disclosures and with more and more organised crime rings taking advantage of some of them, how can we better assess when we should sound the alarm?”
Data collated for the X-Force report records that a high number of disclosed critical vulnerabilities did not see widespread exploitation.
Currently, prioritisation of computer vulnerabilities is done through the industry-standard Common Vulnerability Scoring System (CVSS). It attempts to establish a measure of how much concern a named vulnerability warrants, compared to other vulnerabilities, so efforts of software vendors and security managers can be prioritised.
CVSS weighs various criteria in a formula that includes measures of the impact of a vulnerability on system availability, data confidentiality and integrity, as well as the potential for collateral damage.
One criticism level against this sort of categorisation is that the level of urgency is set, almost regardless of the effect by the vulnerability on any specific organisation.
“CVSS provides an essential base that the security industry desperately needs to measure security threats” said Kris Lamb of X-Force Research and Development for IBM Internet Security Systems, and one of the people behind the new report.
But the view is that CVSS is too focused on the technical aspects of a vulnerability, such as severity and ease-of-exploitation. “While these factors are extremely important, they do not fully capture the primary motivator of computer crime: the economic opportunity.”
ISS believes the industry could better prioritise its response to vulnerability disclosures by better understanding the motivations of cyber criminals.
“We can do a better job of determining when emergency patching is most needed in the face of immediate threats. We can also be more precise about determining when widespread exploitation of a vulnerability will take a long time to emerge, and when it is unlikely to ever emerge. This analysis could result in more efficient use of time and resources
Most enterprise security chiefs are hesitant about deploying changes to their infrastructure if a security vulnerability’s severity is below a certain threshold.
Some of them will argue that there is a lack of any process that helps them make informed and repeatable decisions. Industry assessments that fail to take proper account of the cost, risk and potential business exposure posed by a new threat will only leave them vulnerable.
