Hot take for anyone who characterizes the lack of NIST-produced CVSS scores in the NVD as “flying blind” in vulnerability risk management practice: those scores were never intended to be the sole indicator of “risk.” By definition they don’t represent “risk” in any practical way.
I just want to say thank you and wow for offering FREE TRAINING & a CERTIFICATE for the new CVSS v4.0. You guys should promote this more. It really opened my eyes to the awesome potential in v4's base, threat, and environmental scoring (CVSS-BTE). Hope to see more tools supporting this.
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #44/2023 is out! It includes the following and much more:
➝ 🔓 #Okta hit by another #breach, this one stealing employee data from 3rd-party vendor
➝ 🔓 💸 #LastPass breach linked to theft of $4.4 million in crypto
➝ 🇮🇳 #India's Biggest Data Leak So Far? Covid-19 Test Info of 81.5Cr Citizens With ICMR Up for Sale
➝ 🔓 ✈️ #Lockbit ransomware group claims to have hacked #Boeing
➝ 🇳🇱 ⚖️ Dutch hacker jailed for extortion, selling stolen data on RaidForums
➝ 🇷🇺 🇺🇸 Russian Reshipping Service ‘SWAT USA Drop’ Exposed
➝ 🇮🇷 🦠 Iranian Cyber Spies Use ‘#LionTail’ Malware in Latest Attacks
➝ 📉 Security researchers observed ‘deliberate’ takedown of notorious #Mozi#botnet
➝ 🇮🇳 📱 Apple warns Indian opposition leaders of state-sponsored #iPhone attacks
➝ 🌍 Four dozen countries declare they won’t pay #ransomware ransoms
➝ 🇷🇺 How #Kopeechka, an Automated Social Media Accounts Creation Service, Can Facilitate #Cybercrime
➝ 🇪🇺 EU digital ID reforms should be ‘actively resisted’, say experts
➝ 🇷🇺 🇺🇦 #FSB arrests Russian hackers working for Ukrainian cyber forces
➝ 🇺🇸 FTC orders non-bank financial firms to report breaches in 30 days
➝ 🇨🇦 📱 #Canada Bans #WeChat and #Kaspersky Apps On Government Devices
➝ 🇺🇸 #SEC Charges #SolarWinds and Its #CISO With Fraud and Cybersecurity Failures
➝ 🇺🇸 🤖 #Biden Wants to Move Fast on AI Safeguards and Will Sign an Executive Order to Address His Concerns
➝ 🦠 📱 #Avast confirms it tagged Google app as #malware on Android phones
➝ 🦠 🇰🇵 North Korean Hackers Targeting Crypto Experts with #KANDYKORN#macOS Malware
➝ 👥 💸 EleKtra-Leak #Cryptojacking Attacks Exploit #AWS IAM Credentials Exposed on #GitHub
➝ 🦠 🐍 Trojanized #PyCharm Software Version Delivered via #Google Search Ads
➝ ✅ 🤖 #GooglePlay adds security audit badges for Android #VPN apps
➝ 🔐 Microsoft pledges to bolster security as part of ‘Secure Future’ initiative
➝ 🆕 FIRST Releases #CVSS 4.0 Vuln Scoring Standard
➝ 🆕 #MITRE Releases ATT&CK v14 With Improvements to Detections, ICS, Mobile
➝ ⛔️ 🦠 #Samsung Galaxy gets new Auto Blocker anti-malware feature
➝ 🍏 🔐 #Apple Improves #iMessage Security With Contact Key Verification
➝ 🔓 Researchers Find 34 #Windows Drivers Vulnerable to Full Device Takeover
➝ 🔓 🪶 3,000 #Apache#ActiveMQ servers vulnerable to RCE attacks exposed online
➝ 🗣️ #Atlassian CISO Urges Quick Action to Protect #Confluence Instances From Critical #Vulnerability
➝ 🔓 🩸 “This vulnerability is now under mass exploitation.” #CitrixBleed bug bites hard
➝ 🐛 💰 HackerOne paid ethical hackers over $300 million in #bugbounties
📚 This week's recommended reading is: "Permanent Record" by Edward Snowden
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
I have retrieved the specification documents for both CVSS v3.1 and CVSS v4.0. Here are the key differences and important changes made in CVSS v4.0 compared to CVSS v3.1:
Metric Groups: Both versions consist of four metric groups: Base, Threat, Environmental, and Supplemental. However, CVSS v4.0 introduces changes in the definitions and applications of these metrics.
Base Group: In CVSS v4.0, the Base group still represents the intrinsic qualities of a vulnerability that are constant over time and across user environments. However, there are refinements in the scoring rubrics for the Base Metrics to provide more accurate scoring.
Threat Group: The Threat group in CVSS v4.0 reflects the characteristics of a vulnerability that change over time. This is a new addition in v4.0, aiming to adjust the severity of a vulnerability based on factors such as the availability of proof-of-concept code or active exploitation.
Environmental Group: The Environmental group in CVSS v4.0 represents the characteristics of a vulnerability that are unique to a user's environment. This includes the presence of mitigations in that environment and the criticality attributes of the vulnerable system.
Supplemental Group: The Supplemental group in CVSS v4.0 includes metrics that provide context as well as describe and measure additional extrinsic attributes of a vulnerability. These metrics do not modify the final score but are used for additional insight.
Scoring and Vector String: CVSS v4.0 introduces a new nomenclature for numerical CVSS scores to communicate the metrics used in its generation. This includes CVSS-B (Base metrics), CVSS-BE (Base and Environmental metrics), CVSS-BT (Base and Threat metrics), and CVSS-BTE (Base, Threat, Environmental metrics).
Exploitability Metrics: CVSS v4.0 refines the Exploitability metrics to reflect the ease and technical means by which the vulnerability can be exploited. This includes metrics such as Attack Vector, Attack Complexity, Attack Requirements, Privileges Required, and User Interaction.
Impact Metrics: The Impact metrics in CVSS v4.0 capture the effects of a successfully exploited vulnerability. This includes the direct consequence of a successful exploit and represents the consequence to the vulnerable system and/or the downstream impact on subsequent systems.
Assessment and Nomenclature: CVSS v4.0 emphasizes the importance of using the correct nomenclature when displaying or communicating numerical CVSS scores. This is to ensure clarity on which metric groups were considered in the numerical CVSS score provided.
These changes aim to provide a more comprehensive and accurate framework for communicating the characteristics and severity of software vulnerabilities. CVSS v4.0's enhancements in metric definitions, scoring rubrics, and nomenclature reflect an evolution in the understanding of vulnerabilities and their impacts in different environments.
The CVSS Special Interest Group is proud to announce the official release of CVSS v4.0. This latest release marks a significant step forward with added capabilities crucial for teams with the importance of using threat intelligence and environmental metrics for accurate scoring at its core.
Critical in the interface between supplier and consumer, CVSS provides a way to capture the principal characteristics of a security vulnerability and produces a numerical score reflecting its technical severity to inform and provide guidance to businesses, service providers, government, and the public.
The numerical score can be represented as a qualitative severity rating (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes and prepare defenses against cyber-attacks.
Furthermore, this system allows the consumer to also assess real-time threat and impact, arming them with vital information to help to defend themselves against an attack.
The Common Vulnerability Scoring System is a published standard used by organizations worldwide, and this latest version of CVSS 4.0 seeks to provide the highest fidelity of vulnerability assessment for both industry and the public.
This is your regular reminder that CVSSv3 base scores are information-poor, and taken alone are not fit for the purpose of evaluating appropriate actions to take for a given security vulnerability.
I am hoping that CVSSv4 helps improve industry practices. It's badly needed.
"Security Researchers" that "find" a problem and instead of contacting the developers publish the problem on CVE sites, reserve a CVE but don't update it and generally cause havoc....
I got to know about it because a user asked when an updated version will be available that fixes the CVE...
Checking that I didn't find any info on what the actual problem should be.
In the end it seems to be something that can be exploited when one can trick an admin into sharing their session-id....
Threat intelligence company, #Greynoise is warning that malicious actors are starting to exploit the recent #Citrix#ShareFile vulnerability.
Tracked as CVE-2023-24489, the vulnerability has a #CVSS score of 9.1/10. If successfully exploited, it would allow attackers perform remote code execution.
It's your time to have a say about this new version of the metric before if becomes official, so please have a look at the presentation and all the resources on the left menu, notably the Specification, User Guide and the Calculator and share with us your thoughts and impressions!.
You can send comments at cvss@first.org until July 31st.
Thanks!
@bagder 100% agreed that the CVSS scoring system and "assume the worst" guidance makes for scores that do not accurately reflect importance. Especially for very broad-use things.
My take on this is that. like it or not, more open source projects of note need to become "CNA" (certificate numbering authorities) of their own which I understand can given them some control over the content of CVEs filed against their project. https://www.cve.org/ProgramOrganization/CNAs
Did you know that following the advice of several security standards to remediate all vulnerabilities with a CVSS score of 7 or above would barely address half of those known to be exploited and almost 70% of that effort would be wasted on things that don't represent real risk right now?
Seem impossible to believe? Check our math in Prioritization to Prediction, Volume 1: https://lnkd.in/eyKzzX25
Coverage measures the completeness of remediation. Of all vulnerabilities that should be remediated, what percentage was correctly identified for remediation?
Efficiency measures the precision of remediation. Of all vulnerabilities identified for remediation, what percentage should have been remediated?