Abstract
The Common Vulnerability Exposure (CVE) is a dictionary of publically known vulnerabilities. The Common Vulnerability Scoring System (CVSS) is a standard vulnerability severity scoring system to assign scores to vulnerabilities identified under CVE. The CVSS is calculated based on three metrics viz. Base metric, Temporal metric, and Environmental metric. The base metric defines the fundamental characteristics of the vulnerability. The temporal metrics define the characteristics of vulnerability which change over the time and the environmental metrics define the characteristics of the vulnerability specific to particular user’s or organization’s environment. The CVSS base score is available, in CVE dictionary and it can be refined by calculating and adding temporal and environmental metric score. In this paper, our objective is to compare and analyze the CVSS base score with an adjusted base score generated after adding user context requirement for CIA. To achieve this objective we have selected Google Android as a platform and apply CIA requirement in user context in various combinations of score viz. High, Low and Medium. The generated adjusted based score was analyzed and compared with existing base score to understand the impact of CIA on vulnerability severity score.
Highlights
The vulnerability is a weakness, bug, flaw or loophole in a system which can be exploited by threat actor to compromise the system
There are various specifications supported by Security Content Automation Protocol (SCAP) for this purpose e.g. Common Platform Exposure (CPE) for asset management, Common Vulnerability Exposure (CVE), Common Vulnerability Scoring System (CVSS), Open Vulnerability Assessment Language (OVAL), Common Configuration Scoring System (CCSS) for Vulnerability Management and Extensible Configuration Checklist Description Format (XCCDF), Common Configuration Enumeration (CCE) for compliance management.[3]
As per CVE list number of distinct vulnerabilities found in android for the year 2017 is highest in top 50 products and it is a clear choice to use as a case for demonstrating the effect of adding individual user’s confidentiality, availability, and integrity requirement information in the CVSS calculation
Summary
The vulnerability is a weakness, bug, flaw or loophole in a system which can be exploited by threat actor to compromise the system. It is essential to have common standards for measuring vulnerability severity. SCAP is useful for automated vulnerability management, measurement, patch checking, configuration and policy compliance evaluation etc.[2]. CVE is a list of publically known security vulnerabilities found in information systems. It is standard for Information Security vulnerability name.[4]. The aim of the CVSS is to provide a common standard to incarcerate principal characteristics of the vulnerability and generate a numeric score to measure vulnerability severity in various information systems. The numeric severity score is translated into qualitative representation such as low, medium and high to facilitate organizations in prioritizing vulnerabilities in their information systems. We have utilized CVSS version 2 for the score calculation.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
