Re: cvss questions

First, you should be able to tailor any measure to get what you want. The key is really being able to justify it (you justified it to me in your question) and to be consistent with future applications of your values.

Second, I think you should lead the Target Distribution score alone, but instead change the Collateral Damage Potential (CDP) to compensate.

Third, if you have a small number of mission/life critical systems that will always score low because they're only a small number of your total systems, then I would even say they need to be scored entirely separate from your main group. They probably should always be top priority no matter what. Then take just that section of systems and redo your calculations. For instance, if you just take your 20 mission/life critical systems instead of your 10,000, your Target Distribution score could be 1.0 if all 20 of those systems are affected.

You could also increase the Confidentiality Requirement, Integrity Requirement, and Availability Requirement to match.

Essentially, what I read into your description is that this group of systems needs to be evaluated separately.

It wouldn't ever make sense that an issue that affects 80% of your low value systems means more to your organization than a mission/life critical update on 1% of your systems. But that really has nothing directly to do with the vulnerability itself; only when it has context with the assets affected.

Moving forward, it's possible the CVSS is very vulnerability-centric, rather than being asset-centric, meaning it really doesn't handle valuating your assets and the criticality of patching them. Only the importance and criticality of the vulnerability itself.

<- snip ->

Recently,my company has started using CVSS v2 for our metrics.

Im satisfied with the corresponding values I get from the score calculator *until* I add in the "Target Distribution" score, which drastically cuts down on the vulnerability's "Overall CVSS Score."

As I understand it, and as the CVSS v2 manual states, the field "Target Distribution" is "the portion of vulnerable systems on the network."

Since my client has a large and varied network, vulnerabilities will always get the "target distribution" of 0%-25%.

This means my "Overall CVSS Score" gets dropped from a high rating between 8-10 to around 1.5 - 2.5 when target distribution is set to 0%-25%. Even if the targeted computers are mission critical, and their failure can result in loss of life, the corresponding value gets reduced.

Is my understadning of "Target Distribution" incorrect?

Is it ethical to set the "Target Distribution" to "Not Defined," even if I know exactly how many machines will be affected? If it is ok to do this, what justification can I provide if questioned on why the value was skipped.

Thanks for your help!

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.;4175;25;1371;0;5;946;e13b6be442f727d1