From the course: Vulnerability Management: Assessing the Risks with CVSS, CISA KEV, EPSS, and SSVC
Join today to access over 25,300 courses taught by industry experts.
Assess the risk
From the course: Vulnerability Management: Assessing the Risks with CVSS, CISA KEV, EPSS, and SSVC
Assess the risk
- [Instructor] We've built out our vulnerability detection process, so next we need to develop a systematic approach to assign risk to vulnerabilities using the concepts we covered earlier in this course. One way to do this is combine the key factors of severity, exploitability, and exposure to assign risk to a specific vulnerability on a specific system in a systematic manner. For severity, we can either use CVSS score or the severity score generated by our vulnerability scan engine. At Red30, we use CVSS scores in this process. When it comes to exploitability, the CISA KEV catalog and EPSS can be used. Most vulnerability scanning platforms provide fields that indicate if a specific vulnerability is listed in the CISA KEV catalog as well as the EPSS score, and we use both of these here at Red30. Our last factor, exposure, is the most important. At the simplest level, exposure can be external or internet-facing versus internal. Other things that you could incorporate include business…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.