(7) CVSS Common Vulnerability Scoring System Flashcards
What is the Common Vulnerability Scoring System (CVSS)?
The CVSS is an industry standard for assessing the severity of security vulnerabilities.
It provides a technique for scoring each vulnerability on a variety of measures.
Each measure has a descriptive rating and a score
What do the first four measures of the Common Vulnerability Scoring System (CVSS) evaluate, and what do the last three evaluate? How about the eighth (and final) one?
The first four measures of the CVSS evaluate the exploitability of the vulnerability, while the last three evaluate the impact of the vulnerability.
The eight is about scope.
In the Common Vulnerability Scoring System (CVSS), what is the Attack Vector (AV)?
The AV metric describes how an attacker would exploit the vulnerability and is assigned according to various values which are Physical (P), Local (L), Adjacent Network (A), Network (N)
Within the Common Vulnerability Scoring System (CVSS), describe the attack complexity metric
The attack complexity metric describes the difficulty of exploiting the vulnerability and is assigned according to two values, which are High (H), and Low (L)
Within the Common Vulnerability Scoring System (CVSS), what is the Privileges Required (PR) Metric?
The PR metric describes the type of account access that an attack would need to take advantage of a vulnerability and is assigned to three values, High (H), Low (L), and None (N)
Within the Common Vulnerability Scoring System (CVSS), describe the User Interaction Metric
The User Interaction (UI) metric describes if the attacker needs to involve another person in the attack. It is assigned according to two values, None (N), and Required (R)
Within the Common Vulnerability Scoring System (CVSS), describe the Integrity Metric
The Integrity metric describes the type of information that might happen if an attacker exploits the vulnerability. It is assigned according to these values, None (N), Low (L), High (H)
Within the Common Vulnerability Scoring System, describe the Availability Metric
The availability metric describes the type of disruption that might occur if an attacker succeeds in what they are trying to do. It is assigned based on these values, None (N), Low (L), High (H)
within the Common Vulnerability Scoring System (CVSS), describe the Scope Metric
The Scope Metric describes if the vulnerability can affect system components beyond the scope of the vulnerability. The metric is assigned according to these values, Unchanged (U), and Changed (C)
Within the Common Vulnerability Scoring System (CVSS), what is the CVSS vector?
The CVSS vector uses a single line format to refer the ratings of a vulnerability on all CVSS metrics.
The vector contains nine components, Attack Vector, Attack Complexity, Privileges Required, User interaction, Scope, Confidentiality, Integrity, Availability
Within the Common Vulnerability Scoring System (CVSS), what is the CVSS base score?
The CVSS base score is a single number representing the overall risk posed by the vulnerability.
To get the base score, one must calculate the exploitability score, impact score, and impact function.
Within the Common Vulnerability Scoring System, what is the Impact Sub Score (ISS)?
The metric summarizes the three impact metrics using the formula
ISS = 1 - [(1 - Confidentiality) x (1 - Integrity) x (1 - Availability)]
within the Common Vulnerability Scoring System (CVSS), when calculating the impact score, what value must we take into account?
To calculate the impact score from the impact sub score, we have to take the value of the scope metric into consideration.
If the scope metric is unchanged, then the ISS is multiplied by 6.42.
Impact = X.XX * ISS
Considering the Common Vulnerability Scoring System (CVSS), when calculating the impact sub score, if the scope metric is changed, how are the calculations performed?
While calculating the impact sub score, If the scope metric is changed, the formula is:
Impact = X.XX x (ISS - 0.029) - 3.25 x (ISS - 0.02)^15
Within the Common Vulnerability Scoring System (CVSS), what is exploitability and weaponization?
Exploitability is a measure of how likely it is that an attacker will use a vulnerability to gain access to a system.
Weaponization is the ability of an attacker to make an exploit that leverages a vulnerability.
Within the Common Vulnerability Scoring System (CVSS), how is exploitability calculated?
Exploitability is calculated with this formula:
Exploitability = 8.22 x AttackVector X AttackComplexity X PrivilegesRequired X UserInteraction
Considering the Common Vulnerability Scoring System (CVSS), when trying to calculate the base score, if the impact is 0, what is the base score?
Also, is the scope metric is unchanged, how is the base score calculated?
If the impact is 0, so is the base score
If the scope metric is not changed, the base score is calculated by adding together the impact and exploitability scores and multiplying the result by 1.08
Considering the Common Vulnerability Scoring System (CVSS), when calculating the base score, if the scope metric is changed, how is the base score calculated?
Also, what is the highest possible base score?
If the scope metric is changed, the base score is calculated by adding together the impact and exploitability scores and then multiplying the result by 1.08
The highest possible base score is 10, if the score you calculate is more than 10, set the score to 10
What is the Common Vulnerability Scoring System Qualitative Severity Rating Scale (CVSS Qualitative Severity Scale)?
The CVSS Qualitative Severity Scale further summarizes the CVSS results by using risk categories instead of numeric risk ratings
Considering the Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating Scale, what are the five categories that can be used as a result of the calculations?
0 = None
0.1-3.9 = Low
4.0-6.9 = Medium
7.0-8.9 = High
9.0-10.0 - Critical