CVSS Vulnerability Scoring Overview
40 Questions
1 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

The Environmental Metrics in CVSS modify the final score.

False

What is the highest possible score that can be generated by the CVSS?

  • 8.0
  • 7.5
  • 10.0 (correct)
  • 5.0
  • List the four metric groups in CVSS.

    Base, Threat, Environmental, Supplemental

    A CVSS score between 4.0 and 6.9 is considered _____ severity.

    <p>Medium</p> Signup and view all the answers

    Which metric group reflects the qualities of a vulnerability that change over time?

    <p>Threat Group</p> Signup and view all the answers

    What is required for an attacker to successfully exploit a vulnerability?

    <p>Target-specific secret</p> Signup and view all the answers

    The attack requirements metric captures the conditions of the vulnerable system that do not affect the success of the attack.

    <p>False</p> Signup and view all the answers

    Match the CVSS score ranges with their corresponding severity level:

    <p>0.0 = None 0.1 - 3.9 = Low 4.0 - 6.9 = Medium 7.0 - 8.9 = High 9.0 - 10.0 = Critical</p> Signup and view all the answers

    CVSS provides a quantitative measure of software vulnerabilities.

    <p>False</p> Signup and view all the answers

    What does 'Privileges Required (PR)' describe?

    <p>The level of privileges an attacker must possess before exploiting a vulnerability.</p> Signup and view all the answers

    An attack that requires an attacker to inject themselves into the logical network path is referred to as __________.

    <p>network injection</p> Signup and view all the answers

    What does CVSS stand for?

    <p>Common Vulnerability Scoring System</p> Signup and view all the answers

    Match the metrics with their descriptions:

    <p>None (N) = Attack does not depend on conditions Present (P) = Attack depends on specific conditions Privileges Required (PR) = Level of access before exploitation Exploitability Metrics = Metrics that capture conditions for attack success</p> Signup and view all the answers

    How may an attack needing multiple attempts to succeed be classified?

    <p>Requires specific deployment conditions</p> Signup and view all the answers

    Secrets are pieces of information that can be obtained through reconnaissance.

    <p>False</p> Signup and view all the answers

    What is the role of prerequisites in attack success?

    <p>Prerequisites are conditions that must be met for an attack to succeed.</p> Signup and view all the answers

    What does the Attack Vector (AV) metric reflect?

    <p>The context by which vulnerability exploitation is possible</p> Signup and view all the answers

    The Exploitability metrics reflect the direct consequence of a successful exploit.

    <p>False</p> Signup and view all the answers

    What is the score range produced by base metric values?

    <p>0 to 10</p> Signup and view all the answers

    The Exploitability metrics include the _____ metrics and the Impact metrics.

    <p>Exploitability</p> Signup and view all the answers

    Match the following terms with their descriptions:

    <p>Network (N) = The system is explorable over the network stack. Adjacent (A) = Exploration is limited to a logically adjacent topology. Impact metrics = Reflect the consequences of a successful exploit. Exploitability metrics = Reflect the ease of exploitation of a vulnerability.</p> Signup and view all the answers

    Which attack vector allows for remote exploitation?

    <p>Network (N)</p> Signup and view all the answers

    Impact metrics reflect how vulnerabilities affect only the vulnerable system itself.

    <p>False</p> Signup and view all the answers

    What is the purpose of amending Threat and Environmental metrics?

    <p>To refine the resulting severity score.</p> Signup and view all the answers

    What type of interaction is described as 'Active' in the context of a vulnerable system?

    <p>A targeted user performing specific interactions with the system</p> Signup and view all the answers

    The impact metrics only measure the effects of the vulnerability on the vulnerable system itself.

    <p>False</p> Signup and view all the answers

    What does the confidentiality metric measure in the context of a vulnerability?

    <p>The impact on the confidentiality of the information managed by the system.</p> Signup and view all the answers

    In the impact metrics, a 'High' confidentiality score indicates a total loss of __________.

    <p>confidentiality</p> Signup and view all the answers

    Match the following confidentiality metric values with their descriptions:

    <p>High (H) = Total loss of confidentiality affecting sensitive information Low (L) = Limited loss of confidentiality with some restricted information accessed</p> Signup and view all the answers

    What is an example of an Active interaction?

    <p>Submitting a specific string into a web application</p> Signup and view all the answers

    A confidentiality loss is considered serious if an attacker gains control over only a small amount of restricted information.

    <p>False</p> Signup and view all the answers

    What factors should analysts consider when assessing impact metrics?

    <p>Analysts should consider the reasonable and final outcomes that an attacker can achieve based on the vulnerability.</p> Signup and view all the answers

    What does the acronym CVSS stand for?

    <p>Common Vulnerability Scoring System</p> Signup and view all the answers

    Supplemental metrics will impact the final calculated CVSS score.

    <p>False</p> Signup and view all the answers

    What does the Modified Attack Complexity (MAC) metric indicate?

    <p>The complexity required to exploit a vulnerability</p> Signup and view all the answers

    The abbreviated form for Modified Subsequent System Availability is ______.

    <p>MSA</p> Signup and view all the answers

    Which metric captures whether an attacker can automate the exploitation of a vulnerability?

    <p>Automatable</p> Signup and view all the answers

    Match the following supplemental metrics with their descriptions:

    <p>Safety = Impact to human safety due to the vulnerability Automatable = Ability to automate exploitation across targets Recovery = Potential for recovery after exploitation Confidentiality = Impact on data confidentiality after a breach</p> Signup and view all the answers

    A vector string can include the same metric more than once.

    <p>False</p> Signup and view all the answers

    What is the first part of a CVSS v4.0 vector string?

    <p>CVSS:4.0</p> Signup and view all the answers

    Study Notes

    CVSS: Common Vulnerability Scoring System

    • A standardized framework for communicating the severity of software vulnerabilities, with numerical scores indicating vulnerability severity.
    • The CVSS score ranges from 0 to 10, with higher scores signifying greater severity.
    • CVSS is used to prioritize vulnerabilities, helping organizations focus on the most critical ones to mitigate risk.
    • CVSS is an open framework, meaning it is freely available and can be adopted by anyone.

    CVSS Scoring

    • Base Metrics: Represent core vulnerability characteristics, constant across user environments.

    • Exploitability Metrics: Reflect ease of exploitation. - Attack Vector (AV): Describes the path or context required for exploitation.

      • Network (N): Vulnerability can be exploited remotely across a network.
      • Adjacent (A): Vulnerability can be exploited within the same network topology, not remotely.
      • Local (L): Requires physical access to the vulnerable system.
      • Active (A): Vulnerability requires targeted user interaction. - Attack Complexity (AC): Describes the difficulty of exploiting the vulnerability.
      • High (H): Requires complex steps and significant technical expertise to exploit.
      • Low (L): Can be exploited with minimal effort. - Privileges Required (PR): Indicates the user privileges required to exploit the vulnerability.
      • High (H): Attacker needs elevated privileges, like administrator access.
      • Low (L): Attacker doesn't need special privileges. - User Interaction (UI): Indicates whether user interaction is needed to exploit the vulnerability.
      • None (N): Vulnerability can be exploited without user interaction.
      • Required (R): User interaction is required to exploit the vulnerability. - Attack Requirements (AT): Specifies the specific conditions or prerequisites needed for successful exploitation.
      • None (N): No specific requirements for exploitation.
      • Present (P): Requires specific conditions for exploitation.
    • Impact Metrics: Reflect the consequences of a successful exploit on the vulnerable system and its downstream impact on subsequent systems.

      • Confidentiality (C): Measures the impact on confidentiality of information managed by the system.
        • High (H): Total loss of confidentiality, with a high impact on the system.
        • Low (L): Some loss of confidentiality, with a limited impact on the system.
        • Not Defined (X): Confidentiality impact is not defined.
      • Integrity (I): Measures the impact on the integrity of system data.
        • High (H): Total loss of integrity, with a critical impact on the system.
        • Low (L): Some loss of integrity, with limited impact on the system.
        • Not Defined (X): Integrity impact is not defined.
      • Availability (A): Measures the impact on the system's availability.
        • High (H): Total loss of availability, with a major impact on the system.
        • Low (L): Some loss of availability, with limited impact on the system.
        • Not Defined (X): Availability impact is not defined.
    • Threat Metrics: Reflect the characteristics of a vulnerability that vary over time.

    • Environmental Metrics: Reflect the characteristics of a vulnerability that are specific to a user's environment.

    • Supplemental Metrics: Provide additional insight into vulnerability characteristics but do not modify the final score.

    Vector String: Machine Readable Format

    • CVSS V4.0 Vector strings, starting with "CVSS:4.0/", represent a set of CVSS metrics in a concise and machine-readable format.
    • They are used to record or transfer CVSS metric information.

    ### Modified Base Metrics

    • Allow analysts to override individual Base metric values based on specific user environment characteristics.
    • These metrics can be used to provide more accurate and contextually relevant scores.

    Supplemental Metrics

    • Describe and measure additional attributes of a vulnerability, providing more comprehensive information.
    • Include considerations like safety impact, automatability of exploitation, and recovery efforts.

    Studying That Suits You

    Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

    Quiz Team

    Related Documents

    lec 2 Secure.pdf

    Description

    Explore the Common Vulnerability Scoring System (CVSS) in this quiz. Learn about its scoring framework, base metrics, and exploitability metrics designed to communicate and prioritize software vulnerabilities effectively. Understand how CVSS helps organizations mitigate risks related to vulnerabilities.

    More Like This

    CVSS Assessment Quiz
    5 questions

    CVSS Assessment Quiz

    ReliablePrehnite avatar
    ReliablePrehnite
    Cybersecurity Protocols and Vulnerabilities
    4 questions
    Cybersecurity Vulnerability Assessment Quiz
    72 questions
    Use Quizgecko on...
    Browser
    Browser