Time to Change the CVSS?

Spring, Jonathan M.; Hatleback, Eric; Householder, Allen D.; Manion, Art; Shick, Deana

doi:10.1109/msec.2020.3044475

Cited by 21 publications

(24 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Other than this, more advanced level evaluation starts with the help of tools such as Hping3, Nping, and Xerxes for DDoS and Authentication parameters are to be analyzed to check whether credentials of the users are in plain‐text format or hashed. In case more vulnerabilities are found, document is updated and CVSS 33 scoring system is taken into account know the severity level and impact on confidentiality, integrity and availability. All the attack results and there CVSS scores are documented.…”

Section: Methodsmentioning

confidence: 99%

An extensive vulnerability assessment and countermeasures in open network operating system software defined networking controller

Singh

Kaur

2022

Concurrency and Computation

View full text Add to dashboard Cite

Software defined networking (SDN) is the technology that has changed the design and deployment architecture of networks with its benefits like centralization, application awareness, programmability and so forth. But security is one aspect, which needs to be continuously revised according to the new vulnerabilities or bugs found in the network.In this article, penetration testing or vulnerability assessment has been performed on ONOS SDN controller with both single and clustered controller environments. Penetration testing has been performed using DELTA framework, which is solely built for SDN. Apart from using DELTA, python scripting and some popular DDoS tools like Hping3, Nping and Xerxes, are used to perform DDoS (TCP SYN and HTTP) vulnerability assessment. A total of 13 known and unknown vulnerabilities were found with impact of six each listed in high, and medium, while one vulnerability has low-impact.The impact level is measured using common vulnerability scoring system (CVSS) 3.1.Vulnerabilities have been found on the ONOS deployments with default parameters and results achieved can be used to strengthen the security of ONOS SDN controller.Our research puts major emphasis on finding both known and unknown vulnerabilities in ONOS SDN controller and their countermeasures to prevent or mitigate these vulnerabilities.

show abstract

Section: Methodsmentioning

confidence: 99%

An extensive vulnerability assessment and countermeasures in open network operating system software defined networking controller

Singh

Kaur

2022

Concurrency and Computation

View full text Add to dashboard Cite

show abstract

“…One of the best listings of perceived faws in CVSS is [14], which also contains suggestions that could be used to improve and/or revise CVSS or to create alternate scoring systems. One concern is that in CVSS v3, the metric values are ordinals (ordered categories) but they are converted into ratio data (allowing numerical differences with a zero value) within the v3 base score equation.…”

Section: Appendix C-encoded Knowledge Constraint Graphsmentioning

confidence: 99%

“…By assigning numbers, difference relationships are established not only between ordinal values of a particular CVSS metric (e.g., privileges required), but between ordinal values of different unrelated metrics (e.g., confdentiality and attack complexity). Additionally, [14] points out that it provides no justifcation for the equation that then takes these numerical values as input. Although not mentioned in [14], many have questioned the complexity of the equation and why, for example, it has a term raised to the 15 th power.…”

Section: Appendix C-encoded Knowledge Constraint Graphsmentioning

confidence: 99%

“…Additionally, [14] points out that it provides no justifcation for the equation that then takes these numerical values as input. Although not mentioned in [14], many have questioned the complexity of the equation and why, for example, it has a term raised to the 15 th power. Combining these concerns, [14] points out that the CVSS specifcation makes claims like "faster + fastest = 6" for which there is no empirical or theoretical justifcation.…”

Section: Appendix C-encoded Knowledge Constraint Graphsmentioning

confidence: 99%

See 1 more Smart Citation

Measuring the Common Vulnerability Scoring System Base Score Equation

Mell¹

2022

View full text Add to dashboard Cite

“…Spring et al [4] from Carnegie Mellon University presented a paper explaining why the Common Vulnerability Scoring System (CVSS) [5] scores need to be more justified and transparent. They question some of the aspects of the CVSS calculation, such as the type of measurement and the translation of that measurement into numerical measure.…”

Section: Related Workmentioning

confidence: 99%

VERCASM-CPS: Vulnerability Analysis and Cyber Risk Assessment for Cyber-Physical Systems

et al. 2021

View full text Add to dashboard Cite

Since Cyber-Physical Systems (CPS) are widely used in critical infrastructures, it is essential to protect their assets from cyber attacks to increase the level of security, safety and trustworthiness, prevent failure developments, and minimize losses. It is necessary to analyze the CPS configuration in an automatic mode to detect the most vulnerable CPS components and reconfigure or replace them promptly. In this paper, we present a methodology to determine the most secure CPS configuration by using a public database of cyber vulnerabilities to identify the most secure CPS components. We also integrate the CPS cyber risk analysis with a Controlled Moving Target Defense, which either replaces the vulnerable CPS components or re-configures the CPS to harden it, while the vulnerable components are being replaced. Our solution helps to design a more secure CPS by updating the configuration of existing CPS to make them more resilient against cyber attacks. In this paper, we will compare cyber risk scores for different CPS configurations and show that the Windows® 10 build 20H2 operating system is more secure than Linux Ubuntu® 20.04, while Red Hat® Enterprise® Linux is the most secure in some system configurations.

show abstract

Time to Change the CVSS?

Cited by 21 publications

References 6 publications

An extensive vulnerability assessment and countermeasures in open network operating system software defined networking controller

An extensive vulnerability assessment and countermeasures in open network operating system software defined networking controller

Measuring the Common Vulnerability Scoring System Base Score Equation

VERCASM-CPS: Vulnerability Analysis and Cyber Risk Assessment for Cyber-Physical Systems

Contact Info

Product

Resources

About