CVSS – Is 3 The Magic Number?

  We have now come to the end of our blog series discussing CVSSv3. Over the past several months, we’ve attempted to cover the many disadvantages and some advantages of this standard, and how it compares to CVSSv2. New problems have been introduced, old problems remain, but improvements have also been made. Blog Series Feedback […]

Risk Based Security, FIRST & San Juan – What A Combination!

Every year Risk Based Security attends and presents at a variety of industry events, with the FIRST annual conference being one of our favorites.  For those unfamiliar with FIRST, it is a close-knit community of incident response professionals with a long tradition of members working collaboratively on special interest topics and sharing information with the […]

29% Increase In Vulnerabilities Already Disclosed In 2017

2017 starts off with an unrelenting rise in vulnerabilities, according to Risk Based Security RICHMOND, VA, May 23, 2017 — Risk Based Security today announced the release of our VulnDB QuickView for the first quarter of 2017. The report shows an unrelenting rise in the number of vulnerabilities being reported. Unless the pace of vulnerability […]

Another Record Pace For Breach Activity Already In Q1 2017

RICHMOND, VA, May 23, 2017 — Risk Based Security is pleased to announce the release of the Q1 2017 DataBreach QuickView Report. Results from the analysis of Q1 activity do not look promising for data breach activity in 2017. In fact, with over 1,200 breaches and over 3.4 billion, yes billion, records exposed, 2017 is […]

CVSS – Is Version 3 All Bad?

Over the past months, we’ve been blogging in our CVSSv3 series about various concerns and problems with CVSSv3 either introduced in CVSSv3 or that existed since CVSSv2. We have also discussed the shift and increased severity ratings, which we have seen with the scoring system itself. To be fair, it is important to know that […]

CVSSv3: When Every Vulnerability Appears To Be High Priority

After a brief hiatus, we are excited to be in the home stretch of our CVSSv3 series. In this post we look at some of the current CVSSv3 scoring and analysis that has been published. The first thing we did when starting this blog series was to reach out to the CVSS SIG mailing list […]

Wikileaks: Vault 7 Leak Exposes CIA Hacking Documents

Just as the story on The Shadow Brokers exposing the alleged NSA Equation Group’s offensive cyber toolkit has come to a close, today Wikileaks announced a new series of leaks concerning the hacking capabilities of the CIA. This new series of leaks has been named “Vault 7” and they claim it is the largest publication […]

CVSSv3: New System, Old Problems Remain

This latest blog post in our CVSSv3 series discusses problems with CVSSv2 that persist in CVSSv3. While CVSSv3 did address some concerns with CVSSv2 – as we plan to discuss in a future blog post – it did not address all. Some of the remaining issues we believe are quite problematic. The Access Complexity Segregation […]

Risk Based Security, NIST and University of Maryland Team Up To Tackle Security Effectiveness

The research team at Risk Based Security analyzes and catalogs thousands of data breaches every year. From that work, a few central themes arise time and again.  One such theme is that breaches can happen at even the most security-conscious organizations. Another is the tenacity and skill of attackers when it comes to searching out […]

CVSSv3: New System, Next Problem (Scope)

In our last CVSSv3 blog series, we discussed our concerns about having to consider exploit reliability and the requirements to bypass advanced exploit mitigation techniques as part of the ‘Attack Complexity (AC)’ base score. This week, we attempt to wrap up the newly introduced challenges by covering the new ‘Scope (S)’ metric. “Formally, Scope refers […]