Vulnerability Management
CVE and CVSS
| Term | Description |
|---|---|
| CVE | Common Vulnerabilities and Exposures โ unique ID (e.g., CVE-2021-44228) |
| CVSS | Common Vulnerability Scoring System โ 0.0โ10.0 severity score |
| NVD | National Vulnerability Database โ NIST repository of CVEs |
| CWE | Common Weakness Enumeration โ root cause classification |
| EPSS | Exploit Prediction Scoring System โ probability of exploitation |
| KEV | CISA Known Exploited Vulnerabilities โ actively exploited CVEs |
CVSS v3.1 Score Breakdown
| Metric | Options |
|---|---|
| Attack Vector (AV) | Network (N), Adjacent (A), Local (L), Physical (P) |
| Attack Complexity (AC) | Low (L), High (H) |
| Privileges Required (PR) | None (N), Low (L), High (H) |
| User Interaction (UI) | None (N), Required (R) |
| Scope (S) | Unchanged (U), Changed (C) |
| Confidentiality (C) | None (N), Low (L), High (H) |
| Integrity (I) | None (N), Low (L), High (H) |
| Availability (A) | None (N), Low (L), High (H) |
Vulnerability Management Process
| Step | Activity |
|---|---|
| 1. Asset Inventory | Know all systems, software, and versions in your environment |
| 2. Scanning | Continuous authenticated scans (Nessus, Qualys, OpenVAS) |
| 3. Assessment | Contextualize CVSS with environment: exploitability, asset criticality |
| 4. Prioritization | Risk-based: CVSS + EPSS + KEV + asset value |
| 5. Remediation | Patch, mitigate, or accept with documented risk |
| 6. Verification | Rescan to confirm fix; update tracking system |
| 7. Reporting | Metrics: MTTR, open vulns by severity, SLA compliance |
SLA Targets by Severity
| CVSS Score | Severity | Target Patch Time |
|---|---|---|
| 9.0โ10.0 | Critical | 24โ72 hours |
| 7.0โ8.9 | High | 7โ14 days |
| 4.0โ6.9 | Medium | 30โ60 days |
| 0.1โ3.9 | Low | 90โ180 days |