Common Vulnerability Scoring System Flashcards

1
Q

CVSS

A

The Common Vulnerability Scoring System is a risk assessment tool that is designed to convey the common attributes and severity of vulnerabilities in computer hardware and software systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

CVSS 3.0

A

CVSS 3.0 is a vendor-neutral, industry standard, open framework for weighting the risks of a vulnerability using a variety of metrics. These weights combine to provide a score of the risk inherent in a vulnerability. The numeric score can be used to determine the urgency of the vulnerability, and the priority of addressing it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

FIRST

A

The Forum of Incident Response and Security Teams has been designated as the custodian of the CVSS to promote its adoption globally.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

CVSS Metric Groups

A
  • Base Metric Group
  • Temporal Metric Group
  • Environmental Metric Group
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Base metric Group

A

This represents the characteristics of a vulnerability that are constant over time and across contexts. It has two classes of metrics:

  • Exploitability - These are features of the exploit such as the vector, complexity, and user interaction required by the exploit.
  • Impact metrics - The impacts of the exploit are rooted in the CIA triad of confidentiality, integrity, and availability.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Temporal Metric Group

A

This measures the characteristics of a vulnerability that may change over time, but not across user environments. Over time, the severity of a vulnerability will change as it is detected and measures to counter it are developed. The severity of a new vulnerability may be high, but will decrease as patches, signatures, and other countermeasures are developed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Environmental Metric Group

A

This measures the aspects of a vulnerability that are rooted in a specific organization’s environment. These metrics help to rate consequences within an organization and allow adjustment of metrics that are less relevant to what an organization does.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

CVE

A

Common Vulnerability Exposures
This is a dictionary of common names, in the form of CVE identifiers, for known cybersecurity vulnerabilities. The CVE identifier provides a standard way to research a reference to vulnerabilities. When a vulnerability has been identified, CVE identifiers can be used to access fixes. In addition, threat intelligence services use CVE identifiers, and they appear in various security system logs. The CVE Details website provides a linkage between CVSS scores and CVE information. It allows browsing of CVE vulnerability records by CVSS severity rating.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

NVD

A

National Vulnerability Database
This utilizes CVE identifiers and supplies additional information on vulnerabilities such as CVSS threat scores, technical details, affected entities, and resources for further investigation. The database was created and is maintained by the U.S. government National Institute of Standards and Technology (NIST) agency.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly