|0||No action required||The organization is not susceptible to the vulnerability.|
|1||Standard maintenance process||The vulnerability poses a potential risk to the organization. The vulnerability should be mitigated as part of an organization’s standard maintenance cycle. Standard maintenance ideally should occur at regular intervals.|
|2||Priority maintenance process||The vulnerability poses a likely risk to the organization. The vulnerability should be mitigated during the organization’s next priority maintenance cycle.|
|3||Immediate mitigation process||The vulnerability poses an imminent risk to the organization. Actions to mitigate the vulnerability should be implemented immediately.|
Using the model is straightforward. By answering a set of questions for a vulnerability announcement, an organization arrives at one of the four urgency levels defined in Table 1.
The first step in the Risk Vulnerability Response Model is to learn about new security vulnerabilities. There are many sources for learning about security vulnerabilities, including the following.
Because vulnerability announcements can arrive from any number of sources, Cisco makes security advisories available in a variety of formats—for example, email, RSS feeds, the Cisco Notification Service, public web pages, and an API—as described in the Cisco Security Vulnerability Policy. Cisco also publishes advisories for some products in machine-readable format, using the Common Vulnerability Reporting Framework (CVRF) and the Open Vulnerability and Assessment Language (OVAL).
The next step in the Risk Vulnerability Response Model is to answer a set of questions about the vulnerability to determine the appropriate urgency level (see Table 1). Table 2 lists and describes each question.
Table 2. Determining Urgency Levels
|Running affected product?||Does the organization use the affected product in its environment?|
|Running affected version?||Does the product run a version or combination of software or, occasionally, hardware that has the vulnerability?|
|Vulnerable component enabled?||Is the product configured in such a way that the vulnerability is exposed through either explicit configuration or default condition?|
|Workaround feasible?||Are methods to prevent exploitation of the vulnerability readily available and practical to implement? Consider both the vulnerable hosts and the surrounding infrastructure.|
|Workaround implemented?||Are methods to prevent exploitation of the vulnerability already in place?|
|Security Impact Rating||
Critical: The vulnerability has the potential of severe impact to the organization, often resulting in unauthorized access to the device or network. These vulnerabilities typically score 9.0 or higher in CVSS Version 3 (CVSSv3).
High: The vulnerability has the potential of significant impact to the organization, often resulting in outages or loss of confidential information. These vulnerabilities typically score from 7.0 through 8.9 in CVSSv3.
Medium: The vulnerability has potential impact, often as part of phishing attacks or in conjunction with another vulnerability. Examples include cross-site scripting attacks, cross-site request forgeries, and privilege escalations. These vulnerabilities typically score from 4.0 through 6.9 in CVSSv3.Low: The vulnerability has minimal impact, often providing information that can be used for reconnaissance. These vulnerabilities typically score 3.9 or lower in CVSSv3. Cisco publishes information about these vulnerabilities as a Bug Release Note Enclosure (RNE) instead of a Cisco Security Advisory.
Based on the best available information, are exploit methods available for the vulnerability and is an attack likely?
Low: The vulnerability is considered difficult or impractical to exploit. Attacks are unlikely at this time.
Medium: Proof-of-concept or technically challenging exploit methods are known to be circulating for the vulnerability. Attacks are possible at this time.
High: Exploit methods are widely understood and circulated for the vulnerability. Attacks are likely and expected.
|Significant collateral damage?||
In a worst-case scenario, would there be substantial downstream or collateral damage to other systems in addition to the initial compromise of confidentiality, integrity, or availability of the affected product? Consider technical operations, business processes, negative press, property damage, and risk to human life.
For example, a denial of service (DoS) attack against a core router can affect the overall stability of the network, disrupt traffic that would transit the router, and so on. A DoS attack against a manufacturer’s extranet VPN concentrator can prevent shipping products to customers, a core business function. The organization should answer this question relative to its business and technical goals as well as its infrastructure.
After an organization answers these questions, they arrive at one of the four conclusions about the urgency level for responding to the vulnerability and they can then initiate the appropriate predefined response process.
Managing vulnerabilities is an increasingly complex process. There are more vulnerabilities that have to be examined and there is less time to determine the threat posed by any given vulnerability. Underreacting and overreacting both carry significant risks and, in some cases, can be more damaging than an attack.
Vulnerability risk triage provides a quick way to evaluate incoming vulnerabilities and determine their potential severity for an organization. Managers can adapt the Cisco Risk Vulnerability Response Model, along with other industry best practices and effective uses of technology, to fit the needs of their organization and manage this challenge.
The following resources provide more information about vulnerability discovery and incident response:
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.