Week 6-2

Question 1

List the first 3 common ways to identify threats/vulnerabilities.

Answer 1

• CVE (Common Vulnerabilities & Exposures)
• NVD (National Vulnerability Database)
• CWE (Common Weakness Enumeration)

Question 2

List the second 3 common ways to identify threats/vulnerabilities.

Answer 2

• CAPEC (Common Attack Pattern and Enumeration Classification)
• CPE (Common Platform Enumeration)
• CCE (Common Configuration Enumeration)

Question 3

What are the qualification criteria for a CVE?

Answer 3

• Fixable Independent of other issues
• Vendor Acknowledgment
• Proven risk
• Affecting one codebase

Question 4

Base Metrics: What are the exploitability metrics?

Answer 4

• Attack Vector (AV)
• Attack Complexity (AC)
• Attack Requirements (AT)
• Privileges Required (PR)
• User Interaction (UI)

Question 5

What does it mean when we refer to “impact” metrics in CVSS?

Answer 5

Vulnerable System Impact and Subsequent System Impact

Question 6

What impact metrics are measured in CVSS?

Answer 6

• Confidentiality (VC/SC)
• Integrity (VI/SI)
• Availability (VA/SA)

Question 7

What are environmental metrics in CVSS?

Answer 7

• Confidentiality, Integrity, and Availability Requirements (CR, IR, AR)
• Modified Attack Vector (MAV)
• Modified Attack Complexity (MAC)
• Modified Attack Requirements (MAT)
• Modified Privileges Required (MPR)
• Modified User Interaction (MUI)