Written by SOHEIL NAZEM Nov. 14, 2022
On 10 Nov 2022, CISA (Cybersecurity and Infrastructure Security Agency of US) published its methodology for vulnerability categorization.
As stated in Executive Assistant Director (EAD) Eric Goldstein's blog post Transforming the Vulnerability Management Landscape implementing a methodology, such as SSVC, is a critical step to advancing the vulnerability management ecosystem
The CISA Stakeholder-Specific Vulnerability Categorization (SSVC) is a customized decision tree model that assists in prioritizing vulnerability response for the United States government (USG), state, local, tribal, and territorial (SLTT) governments; and critical infrastructure (CI) entities. The goal of SSVC is to assist in prioritizing the remediation of a vulnerability based on the impact exploitation would have on the particular organization(s). The four SSVC scoring decisions, described in this post, outline how CISA messages out patching prioritization. Any individual or organization can use SSVC to enhance its own vulnerability management practices.
CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions:
The CISA SSVC tree determines the decisions of Track, Track*, Attend, and Act based on five values, which are briefly explained as follows:
Evidence of Active Exploitation of a Vulnerability.
This measure determines the present state of exploitation of the vulnerability. It does not predict future exploitation or measure feasibility or ease of adversary development of future exploit code; rather, it acknowledges available information at the time of analysis.
it has three values :
Technical Impact of Exploiting the Vulnerability
The technical impact is similar to the Common Vulnerability Scoring System (CVSS) base score’s concept of “severity.”
When evaluating technical impact, the definition of scope is particularly important.
It is to be noted that the blind usage of CVSS system in the risk analysis process does not work properly, and the CVSS score methodology should be applied in the context of each project and then consequently applying the patch management based on the criticality of the risk makes more sense. In this way categorization of the vulnerabilities can help organizations to prioritize their countermeasures against any analyzed vulnerability.
The values of technical impact in SSVC methodology are:
Automatable represents the ease and speed with which a cyber threat actor can cause exploitation events.
Automatable captures the answer to the question, “Can an attacker reliably automate, creating exploitation events for
this vulnerability?” Several factors influence whether an actor can rapidly cause many exploitation events. These
include attack complexity, the specific code an actor would need to write or configure themselves, and the usual
network deployment of the vulnerable system.
As it is guessed only two values could be accepted for this parameter:
Another way of thinking about automatable is determining what barriers are in place that prevents the vulnerability
from being wormable. One effective barrier is enough to get in a No answer. For example, if a user needs to be
authenticated and logged in. Another way could be not having a connection with the internet and so on.
Impact on Mission Essential Functions of Relevant Entities
A mission essential function (MEF) is a function directly related to accomplishing the organization’s mission as outlined in its statutory or executive charter.
Impacts of Affected System Compromise on Humans
Safety violations are those that negatively impact well-being. SSVC embraces the Centers for Disease Control (CDC)
expansive definition of well-being, one that comprises physical, social, emotional, and psychological health.
for more detailed information about SVCC go to : https://www.cisa.gov/sites/default/files/publications/cisa-ssvc-guide%20508c.pdf
71% of Fortune 500 companies can't be wrong – mentorship is crucial to career growth. Our free 'state of mentorship' shows you the facts, stats and studies on this career superpower.
Including 10% discount on your next session!