Distribution Rules Everything Around Me. A thread on vulnerability scoring...
I sometimes find myself in discussions with people on why they think a vulnerability is scored too low or too high. But the problem is you can’t look at a score in a vacuum.
One of the primary purposes of scoring a security vulnerability is to determine the order in which vulnerability remediation should occur. Every org will have different cut offs based on their tolerance and resources.
But really what you are looking for is how many vulnerabilities do I have that are scored higher or lower than this particular one. This will determine how important it is for me to remediate in a ranked order.
Take for example the recent sudo vuln. This one happens to score 51/100 at the moment. We’ll put aside discussions on elevation of privilege vs. RCE, etc. Instead let's look at the distribution. It’s fat-tailed which will make a lot of sense if you’ve read any of the P2P reports.
Very few vulns actually have associated exploits or exploitation events. As a blue teamer, what I really want to know is, how many vulnerabilities actually score higher than this & where does this fall when prioritizing my work.
In this case, less than 5% of vulnerabilities are scored higher.
Now let’s compare that to a CVSS distribution. This same CVE scores a 7.2 out of 10 in CVSSv2. When looking at that in a vacuum, you’d naturally think CVSS scores this higher and thus thinks it’s more important. But as we often say, “if everything is important, then nothing is”.
Looking at where this falls in the CVSS distribution, which is skewed to the right, we see almost 30% of vulns are scored higher.
Just like most things in security, context matters. Understanding where a vulnerability sits in your remediation priorities is what matters here. And frankly, a vulnerability score & its distribution are just one piece of the puzzle.
Blue teams also need to consider the asset(s) that’s affected, controls that are in place, & their own threat models. But I’ll save all that for a different thread. /ht @mroytman @jayjacobs for data wrangling.
You can follow @ebellis.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.