LITIGATION SUPPORT TIP OF THE NIGHT

Last night’s tip concerned NIST’s CVSS system for evaluating the severity of security breaches. NIST has an online calculator that you can use to generate a score based on each of the metrics discussed last night. See: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . In this example, we see how the highest CVSS score resutls in the worst case scenario for each of the metrics:

An additional temporal score (which uses the base score as an input) is based on whether or not a functional code has been developed for an exploit and has been distributed; whether or not a patch has been developed to remediate the attack; and whether or not the cause of the attack is known.

The Tip of the Night for January 23, 2020 referred to NIST's Common Vulnerability Scoring System for evaluating how serious a flaw in a cybersecurity system is. A vulnerability can be assigned a score from 0 to 10 under the system, which uses six metrics to assess the severity of a flaw:

1. ACCESS - access to a local account will only result in a score of 0.395. Network level access is graded a 1.0.

2. ACCESS COMPLEXITY - this measures how difficult it is to exploit the vulnerability. If it can be used without the need for social engineering, the score will be higher.

3. AUTHENTICATION - if the exploit requires the attacker to authenticate more than two times, the score will be lower.

4. CONFIDENTIALITY - depending on the scope of data disclosed, the score may be higher.

5. INTEGRITY - if the attacker can modify data at will a score of 0.660 will be given.

6. AVAILABILITY - an attack that lowers the performance of the system will result in a higher score.

The recent Sophos Group State of Ransomware 2021 report includes the telling statistic that " [O]n average, only 65% of the encrypted data was restored after the ransom was paid." Sophos surveyed more than 5400 IT departments around the world.

Despite this, about a third of ransomware victims decide to pay.