CVSS的骗局：我们如何被误导看不出漏洞严重性.pdf

1、#BHEU BlackHatEventsThe CVSS Deception:How Weve Been Misled on Vulnerability SeveritySpeaker(s):Syed Islam&Ankur Sand#BHEU BlackHatEventsAgenda Introduction Vulnerability Management&CVSS Six Challenges in CVSS Utilization Recommendations&Guidance Future Directions Key Takeaways2Agenda:Details#BHEU B

2、lackHatEventsWho We AreSyed IslamAnkur SandVic e Pres ident-C y bers ec ur it y Operat ion s C enter (Vuln erab ilit y Management Res pons e)h t t p s:/w w w.l i n k e d i n.c o m/i n/a n k u r-s-1 4 3 2 3 a 8/Pr inc ip al C ybersecu r ity Arc hitec tC y bers ec ur it y and Tec hno log y C o ntrol s

3、h t t p s:/s y e d-i s l a m.g i t h u b.i o/#BHEU BlackHatEventsVulnerability Management&Common Vulnerability Scoring System(CVSS)#BHEU BlackHatEventsVulnerability Lifecycle and CVSS for Severity Assessmenthttps:/ Management&CVSS-CVE Lifecycle&ImpactStandardized Risk AssessmentConsistent Stakeholde

4、r CommunicationPrioritization of Remediation EffortsLifecycle of a Vulnerability Role of CVSS in Vulnerability AssessmentNew VulnerabilityDiscoveryRequest ForCVE-IDVulnerability Management PrioritizationCVSSPatching#BHEU BlackHatEventsCVSS Score CVSS 3.0/3.1 Metrics and Severity ScaleVulnerability M

5、anagement&CVSS-Details0.1-3.9Low 4.0-6.9Medium 7.0-8.9High 9.0-10.0Critical0.0None CVSS Scoring Metrics DetailsCVSS Severity LevelsRating Source:https:/www.first.org/cvss/v3.1/specification-document#BHEU BlackHatEventsVulnerability Disclosure Trends792864946449146431651017305183232015325084290663400

6、720142015201620172018201920202021202220232024Source:https:/ Management&CVSS-Trends29251451034246415919331853246948807240563564601000020000300004000050000600000-11-22-33-44-55-66-77-88-99+Annual CVE disclosures rate trending up by 20%18%of CVEs rated critical(CVSS score of 9+).Vulnerability Release V