In the cybersecurity field, large databases of known threats and vulnerabilities have often been an essential resource. These catalogs show you where to focus your efforts. They’re also a good tool for prioritizing patches to increase security and mitigate the risk of disaster. As a result, these databases need to be reliable and up-to-date and use the correct criteria to assess vulnerabilities.
In November, the Cybersecurity and Infrastructure Security Agency (CISA) updated its catalog of known vulnerabilities and made it public. The agency shared its own deadlines for patches, first intended for federal agencies but useful as guidelines for the private sector as well. The CISA list is a noteworthy change in the cybersecurity space because it uses slightly different criteria than the Common Vulnerability Scoring System (CVSS), another key resource for assessing cyber vulnerabilities.
How are the two systems different? Take a look at the pros and cons of moving to the CISA catalog and away from the CVSS, and what it all means for security-conscious organizations.
CISA or CVSS?
One of the key differences between the CISA catalog and the CVSS is the criteria for prioritizing patches. CISA recommends patches based on exploitability, while the CVSS bases its recommendations on criticality.
Let’s explore those two concepts:
Exploitability — categorizing vulnerabilities and recommending patches based on actual exploits that have taken place.
Criticality — categorizing vulnerabilities and recommending patches based on a severity score assigned by the CVSS.
