Join Lora Vaughn for an in-depth discussion in this video Case study: Red30 technology, part of Vulnerability Management: Assessing the Risks with CVSS v3.1.
- [Instructor] During this course, we're going to imagine that we work at Red 30 Tech. Red 30 is a technology solutions provider, and they have 5,000 data centers in 50 countries and over 5,000 employees. Red 30 Tech is the leading source of secure, fully customizable technology and business solutions. Security and vulnerability management are integral to ensuring the confidentiality, integrity, and availability of the Red 30 network, data, systems, and those of our customers. Like many large companies, Red 30 has struggled with vulnerability management, because the environment is just so large and complex. In this course, we're going to focus on vulnerability scan results for a subset or a representative sample of systems in the Red 30 Tech environment. Let's take a look at a scan report for these selected systems. Our sample includes 17 different systems in the Red 30 Tech environment. There are some work stations, internal servers, internet facing servers, network devices, printers, and even a few IOT devices. On these 17 systems, 2,357 vulnerabilities were found. That's an average of 138 vulnerabilities per system. In reality, the numbers are a little bit different. And the number of vulnerabilities per system ranges from five to 410. Our scan engine helpfully provides CVE numbers, CVSS scores, and more information to help us resolve identified issues. If CVSS scores already exist for many vulnerabilities, why are we taking a deep dive into CVSS? Sometimes, a CVSS score isn't available for a specific vulnerability. You might just run into a situation where you find out about a vulnerability that doesn't have a CVE, and it isn't in the NVD. As a result, there's no CVSS score. If we look back at our vulnerability scan results, of all the reported vulnerabilities, a significant portion, over 70% to be exact, don't have a CVSS score. You may be wondering when a vulnerability wouldn't have a CVE and CVSS score, and that's a fair question. It could be that there's no CVE, because the system or software vendor doesn't participate in the CVE process. Or the vulnerability could be a potential issue that your scan engine reports as informational. But that informational vulnerability could be a big concern in your environment. So when a pre-calculated CVSS score isn't available, you can analyze the vulnerability and define the CVSS risk score for yourself. When you understand how to use CVSS, you can assess the risk of an unrated vulnerability to your environment.