$BlogRSDUrl$>
linking INTEGRITYIntegrity - use of values or principles to guide action in the situation at hand.Below are links and discussion related to the values of freedom, hope, trust, privacy, responsibility, safety, and well-being, within business and government situations arising in the areas of security, privacy, technology, corporate governance, sustainability, and CSR. Security vendors ready CVSS vulnerability scoring system , 3.10.05
Computer Business Review
The proposed new scoring system for IT security vulnerabilities known as CVSS has reached a stage that several vendors are planning ways of promoting enterprise adoption of the Common Vulnerability Scoring System. [Guide (ppt pdf)]
CVSS has said to have been tested by about 30 companies since February, and now Assuria, CERT/CC, Cisco Systems, IBM, Internet Security Systems, JPCERT/CC, netForensics, Pentest, Qualys, Sintelli, Skybox Security and Unisys have all agreed to test the system and look into applicable usage.
The CVSS system promises to transform the way in which network threats are evaluated and dealt with, in the way that the common rating system it provides should make for a framework against which enterprises can start to prioritize their patch routines and better manage risk, Ed Cooper, VP of marketing for Skybox the vendor of security risk management software said.
He explained that the system uses a scale of 1 to 10 to rate the severity of vulnerabilities. It also lets organizations input site specific information that will provide them with a risk score which is customized to their operating environment.
Different systems for scoring vulnerabilities are in use today, and these systems use different metrics. CVSS weighs various criteria in a formula that includes measures of the impact of a vulnerability on system availability, data confidentiality and integrity, as well as the potential for collateral damage.
[T]the group is working together to build on the first-generation framework that has already been developed, in order to come up with a system that is usable and accepted across the industry.
CVSS has three components and includes a baseline vulnerability severity, which is then adjusted with temporal and environmental modifiers, so that any given bug has a different score depending on the time and the enterprise's own network. As such, it provides a scoring mechanism that rates how secure a network is and stands as a basis for comparison against comparable peer network.
The new rating system is being backed by the Forum of Incident Response and Security Teams, and the body will encourage IT executives to start testing the index as one way to address the issues caused by the numerous incompatible scoring systems currently in place.
CommentsPost a Comment
Archives07.03 08.03 09.03 10.03 11.03 12.03 01.04 02.04 03.04 04.04 05.04 06.04 07.04 08.04 09.04 10.04 11.04 12.04 01.05 02.05 03.05 04.05 05.05 06.05 07.05 08.05 09.05 10.05 11.05 12.05 01.06 02.06 03.06 04.06 05.06 06.06 08.06 09.06 10.06 11.06 01.07 02.07 03.07 04.07 07.07 08.07 09.07 10.07 05.08 06.08 |