Abstract
Nowadays, the number of discovered vulnerabilities increases rapidly. In 2018, the 17, 308 vulnerabilities were discovered and during the 2019 even more, so up to 20, 362. The serious problem is that a substantial part of them is rated as critical or at least labeled as high according the CVSS (Common Vulnerability Scoring System). This fact causes a problem, the designers and/or developers do not know which vulnerability should be eliminated at the first place. Time for removal of the vulnerability is crucial from the practical point of cyber security. The main contribution of the article is a proposal of a new method that is used for prioritizing vulnerabilities. The aim of the proposed method is to eliminate the disadvantages of approaches commonly used today. Our method improves the prioritization of vulnerabilities utilizing the parameters: the possibility of exploitation, availability of information about them and knowledge obtained by Threat Intelligence. These three parameters are highly important, especially for newly discovered vulnerabilities, where a priority can differ from day to day. We evaluate the functionality of the proposed method utilizing the production environment of a medium-sized company and we copare results with CVSS method (30 servers, 200 end-stations).
Research described in this paper was financed by the Technology Agency of the Czech Republic (TACR), project no. TJ04000456.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
The currently used version of the CVSS is 3.1. This and elder versions are described in detail in the methodology’s documentation on https://www.first.org/cvss/v3-1/.
- 2.
For example there is an available exploit in Metasploit DB.
- 3.
Together 200 vulnerabilities were not selected for the comparisons, there were recurrent or not relevant for comparison due to low severity, no prioritization is required.
References
Common vulnerability scoring system v3.1: Specification document (2019). https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf
Albeniz, Z.: Cvss: characterizing and scoring vulnerabilities (2019). https://www.netsparker.com/blog/web-security/cvss-characterizing-and-scoring-vulnerabilities/
Bekerman, D., Yerushalmi, S.: The state of vulnerabilities in 2019 (2020). https://www.imperva.com/blog/the-state-of-vulnerabilities-in-2019/
Bhatt, N., Anand, A., Yadavalli, V.S.S., Kumar, V.: Modeling and characterizing software vulnerabilities (2017)
Davis, P., et al.: Vulnerability intelligence report (2018). https://static.tenable.com/translations/en/Vulnerability_Intelligence_Report-ENG.pdf
Feutrill, A., Ranathunga, D., Yarom, Y., Roughan, M.: The effect of common vulnerability scoring system metrics on vulnerability exploit delay. In: Sixth International Symposium on Computing and Networking (CANDAR), pp. 1–10 (2018). https://doi.org/10.1109/CANDAR.2018.00009, https://ieeexplore.ieee.org/document/8594738/
Fruhwirth, C., Mannisto, T.: Improving cvss-based vulnerability prioritization and response with context information. In: 3rd International Symposium on Empirical Software Engineering and Measurement, pp. 535–544 (2009). https://doi.org/10.1109/ESEM.2009.5314230, http://ieeexplore.ieee.org/document/5314230/
Keramati, M.: New vulnerability scoring system for dynamic security evaluation. In: 8th International Symposium on Telecommunications (IST), pp. 746–751 (2016). https://doi.org/10.1109/ISTEL.2016.7881922, http://ieeexplore.ieee.org/document/7881922/
Nist, S.: 800–53, revision 4. Security and Privacy Controls for Federal Information Systems and Organizations (2013)
Palanov, N.: Vulnerability categories and severity levels: “informational" vulnerabilities vs. true vulnerabilities (2016). https://blog.rapid7.com/2016/12/15/vulnerability-categories-and-severity-levels-informational-vulnerabilities-vs-true-vulnerabilities/
Scarfone, K., Mell, P.: An analysis of cvss version 2 vulnerability scoring. In: 3rd International Symposium on Empirical Software Engineering and Measurement, pp. 516–525 (2009)
Sibal, Ritu., Sharma, Ruchi, Sabharwal, Sangeeta: Prioritizing software vulnerability types using multi-criteria decision-making techniques. Life Cycle Reliab. Saf. Eng. 6(1), 57–67 (2017). https://doi.org/10.1007/s41872-017-0006-8
Spring, J., Hatleback, A., Manion, A., Shic, D.: Towards improving CVSS. Software Engineering Institute, Carnegie Mellon University, Tech. Rep (2018)
for Standardization, I.O.: ISO/IEC 27001: 2013: Information Technology-Security Techniques-Information Security Management Systems-Requirements. International Organization for Standardization (2013)
Tai, W.: What is vpr and how is it different from cvss? (2020). https://www.tenable.com/blog/what-is-vpr-and-how-is-it-different-from-cvss
Tripathi, A., Singh, U.K.: On prioritization of vulnerability categories based on cvss scores. In: 6th International Conference on Computer Sciences and Convergence Information Technology (ICCIT), pp. 692–697. IEEE (2011)
Wang, R., Gao, L., Sun, Q., Sun, D.: An improved cvss-based vulnerability scoring mechanism. In: Third International Conference on Multimedia Information Networking and Security, pp. 352–355 (2011). https://doi.org/10.1109/MINES.2011.27, http://ieeexplore.ieee.org/document/6103789/
Williams, J.: Owasp risk rating methodology (2020). https://owasp.org/www-community/OWASP_Risk_Rating_Methodology
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Pecl, D., Safonov, Y., Martinasek, Z., Kacic, M., Almer, L., Malina, L. (2021). Manager Asks: Which Vulnerability Must be Eliminated First?. In: Maimut, D., Oprina, AG., Sauveron, D. (eds) Innovative Security Solutions for Information Technology and Communications. SecITC 2020. Lecture Notes in Computer Science(), vol 12596. Springer, Cham. https://doi.org/10.1007/978-3-030-69255-1_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-69255-1_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-69254-4
Online ISBN: 978-3-030-69255-1
eBook Packages: Computer ScienceComputer Science (R0)