Overview
This course aims to help participants understand the limitations of using the Common Vulnerability Scoring System (CVSS) as a risk metric for vulnerabilities and a prioritization metric for patching policies. By analyzing real attack data, the course demonstrates that relying solely on CVSS scores can lead to significant over-investment in patching. The teaching method includes practical examples, case studies, and statistical analysis to illustrate the inefficiencies of the CVSS approach. The course is designed for cybersecurity professionals, risk analysts, and individuals involved in vulnerability management within organizations.
Syllabus
Introduction
Vulnerabilities
What is CVSS
Double Vision
Insecurity
Data Sets
Distribution
Exploitability
Case Control Study
Comparison
Example
Sensitivity
Sensitivity vs Specificity
Pacing
Visualizing CVSS
Patching Policy
National Grid
Batches
Shock Analysis
CVSS Score
Temporal Scores
Temporal Information
Taught by
Black Hat