In this in-depth exploration, we delve deeper into the multifaceted realm of PCI DSS version 4.0 requirement 6.3.1, focusing on the nuanced intricacies of risk ranking. Often misunderstood yet fundamentally critical, this requirement serves as a cornerstone in compliance endeavors, resonating across a myriad of PCI DSS stipulations.

Recapitulation of Part One

Before we embark on dissecting the finer nuances of risk ranking, let’s briefly recapitulate the foundational insights garnered in part one of this comprehensive series. Part one meticulously elucidated the vulnerability identification process, an indispensable facet of requirement 6.3.1, setting the groundwork for a comprehensive understanding of its risk ranking component.

Diving into the Risk Ranking Process

As organizations traverse the labyrinthine landscape of cybersecurity, navigating the myriad vulnerabilities lurking within their software infrastructure, the imperative of prioritizing remedial actions looms large. At the heart of this endeavor lies PCI DSS requirement 6.3.1, mandating the implementation of a robust risk ranking system to guide vulnerability mitigation strategies. However, the onus of defining the specifics of this risk-ranking approach rests squarely on the shoulders of each organization.

Central to this process is the indispensable Common Vulnerability Scoring System (CVSS), a pivotal tool for quantifying the severity of vulnerabilities. Leveraging the CVSS framework, vulnerabilities adorned with a Common Vulnerabilities and Exposures (CVE) number in the National Vulnerability Database (NVD) are assigned scores on a scale of 0 to 10, delineating the exploit difficulty and potential impact.

While many organizations opt to anchor their risk-ranking endeavors solely on CVSS scores, this approach is not without its pitfalls. A glaring limitation arises from the fact that not all vulnerabilities are bestowed with CVSS scores, particularly those ensconced within bespoke or custom software. Consequently, organizations tethered to a CVSS-centric paradigm find themselves at a crossroads, compelled to either compute scores for unscored vulnerabilities or chart a course toward devising alternative ranking criteria.

Moreover, the inadequacies of a simplistic CVSS-based system are further exacerbated by its failure to encapsulate the idiosyncrasies of each organizational milieu. This disjuncture is particularly pronounced when juxtaposed with compliance mandates such as the exigency to patch critical and high vulnerabilities within a stringent timeframe, compelling organizations to grapple with the quandary of swiftly addressing ostensibly less critical vulnerabilities.

Navigating the Challenges of Risk Ranking

In light of these challenges, two primary pathways emerge as beacons of hope:

1. Harnessing the CVSS Calculator for Precision: Organizations can leverage the CVSS calculator to incorporate optional metrics, furnishing a nuanced approach while aligning with industry standards.

2. Architecting Custom Risk Ranking Criteria: For those seeking enhanced flexibility, the creation of bespoke ranking criteria untethered from CVSS scores offers a viable alternative. Tailored to the organization’s unique environment and exigencies, this approach epitomizes adaptability and autonomy.

Irrespective of the chosen trajectory, the cardinal principle of including ‘high’ and ‘critical’ risk levels remains sacrosanct. Embracing a hierarchical ranking system comprising Critical, High, Medium (or Moderate), Low, and Very Low (or None) serves as a bulwark against security vulnerabilities, with some organizations opting for a truncated four-level hierarchy sans the Very Low rank.

Charting the Course: Creating CVSS Scores

For organizations entrusting their fate to a CVSS-based framework, the path forward entails harnessing the CVSS calculator to derive scores for unscored vulnerabilities. Aligning with the NVD’s scoring rubric, preferably CVSS version 3.1, lays the foundation for a robust risk assessment framework, with version 4.0 poised for adoption upon the NVD’s transition.

The CVSS scoring journey commences with the meticulous fulfillment of Base Score Metrics, complemented by an optional foray into Temporal Score Metrics. Drawing insights from available vulnerability data, organizations navigate through the intricacies of exploit complexity and potential impact, anchoring their assessments on a bedrock of precision and diligence.

Navigating the Terrain: Environmental Adjustments to CVSS Scores

Tailoring CVSS scores to bespoke organizational milieus is facilitated through the Environmental Score section of the CVSS calculator. Herein lies the crucible where organizations meld original metrics with environmental nuances, refining scores with surgical precision to reflect the intricacies of their unique ecosystems.

A matrix can be used to assign initial risk rankings based on likelihood and impact:

The initial risk of the vulnerability would be Medium, based on the intersection of Medium likelihood and High impact.

Another matrix can be used to adjust the risk rankings based on the criticality of the affected components:

Using this matrix, we would adjust our Medium risk vulnerability to High risk due to the high criticality of the system.

Taking this a step further, another matrix can be used to arrive at final risk rankings when taking security controls and other mitigating factors into consideration:

Our final risk ranking would be High due to the Low mitigation of this vulnerability.

These scales and matrices are suggestions, and organizations should change them to determine and weigh impact, likelihood, component criticality, and mitigating factors based on their environment and risk tolerance.

CVSS version 3.1 Environmental Score Metrics serves as the linchpin, intricately modifying Base Score Metrics to encapsulate the holistic panorama of system vulnerabilities. Impact Subscore Modifiers complement this endeavor, providing a nuanced lens through which confidentiality, integrity, and availability requisites are meticulously calibrated.

Forging New Paths: Crafting Custom Risk Ranking Criteria

For organizations harboring aspirations of unparalleled flexibility and autonomy, the journey towards crafting custom risk ranking criteria beckons. Embarking on this odyssey, organizations weave a tapestry of criteria anchored in established risk assessment methodologies, forging a pathway that reflects the ethos of industry best practices while retaining a semblance of organizational uniqueness.

The architecture of this bespoke framework hinges on a comprehensive synthesis of likelihood, impact, system criticality, and mitigating factors. Matrices emerge as indispensable aides, guiding organizations through the labyrinthine maze of vulnerability assessments, and ensuring that risk rankings resonate with the veritable pulse of organizational exigencies.

Documenting the Voyage: Imperatives of Comprehensive Documentation

As organizations navigate the tumultuous waters of risk ranking, meticulous documentation emerges as the lodestar guiding their voyage. A detailed procedure meticulously delineates the step-by-step process, serving as a beacon of light amidst the murky depths of vulnerability management.

Policies mandating adherence to industry best practices underscore the overarching imperative of aligning risk-ranking methodologies with established norms. Comprehensive documentation of resulting risk rankings not only facilitates compliance with PCI DSS testing procedures but also serves as a testament to the organization’s unwavering commitment to cybersecurity excellence.

In summation, the odyssey of risk ranking traverses a terrain fraught with challenges and complexities. Yet, armed with the right tools, methodologies, and a steadfast commitment to excellence, organizations can navigate this labyrinthine landscape with confidence, fortifying their compliance posture and safeguarding against the ever-evolving specter of cyberthreats.

By: Chad Barr – Director of Governance, Risk & Compliance – CISSP | CCSP | CISA | CDPSE | QSA

If you have any questions about PCI DSS compliance for your business, please feel free to contact us.

Chad is the Director of Governance, Risk and Compliance for the Risk Advisory Service practice at AccessIT Group (AITG). He is an experienced Information Security Leader with an extensive background in Security Engineering, Project Management, Business, and Compliance. Through his many years of experience, he has established knowledge with respect to governance, regulatory, and compliance frameworks such as CIS, NIST, ISO2700X, and PCI-DSS. He has multi-disciplinary expertise and experience in domains such as application security, security operations, cybersecurity monitoring, vulnerability management, incident management/response, identity and access management, compliance, and cloud infrastructure.

More Blog