From the course: Vulnerability Management: Assessing the Risks with CVSS, CISA KEV, EPSS, and SSVC
Join today to access over 25,300 courses taught by industry experts.
Severity and risk are not the same
From the course: Vulnerability Management: Assessing the Risks with CVSS, CISA KEV, EPSS, and SSVC
Severity and risk are not the same
- [Narrator] It's easy to assume that a vulnerability that's been assigned a critical severity is automatically going to be high risk. After all, a CVSS score of 10.0 sounds scary. But in reality, severity is not risk. Well, let's walk through the differences and why it's important. First, we need to know what severity means. Severity is a technical measurement of a vulnerability's potential impact, and it's typically based on a scoring system, something like CVSS. In essence, severity is a measure of how bad things could be if a vulnerability were to be exploited. We've already covered the different components that can be used to determine severity in CVSS version three, and you may recall that many of those metrics are considering the potential impact of a vulnerability on its own. Severity is measured in isolation, and it doesn't account for the specifics of a system or environment, and its specific security measures. When it comes to risk, it's not just about how bad something…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.
Contents
-
-
-
-
(Locked)
Severity and risk are not the same1m 25s
-
(Locked)
Challenges with CVSS and severity scores1m 37s
-
(Locked)
Vendor-specific severity scoring methodologies1m 38s
-
(Locked)
Other vulnerability scoring methodologies: KEV and EPSS1m 52s
-
(Locked)
Solution: Comparing vulnerabilty severity scores2m 53s
-
(Locked)
-
-
-
-