Which of the CVSS metrics would contain information about the difficulty of exploiting the vulnerability?
46. Show
Tom is reviewing a vulnerability scan report and finds that one of the servers on his network suffers from an internal IP address disclosure vulnerability. What protocol is likely in use on this network that resulted in this vulnerability?
Answer : [B]
47. Which one of the CVSS metrics would contain information about the number of times that an attacker must successfully authenticate to execute an attack?
Answer : [C]
48. Which one of the following values for the CVSS access complexity metric would indicate that the specified attack is simplest to exploit?
Answer : [C]
49. Which one of the following values for the confidentiality, integrity, or availability CVSS metric would indicate the potential for total compromise of a system?
Answer : [D]
50. What is the most recent version of CVSS that is currently available?
Answer : [D]
The Common Vulnerability Scoring System (CVSS) is a public framework for rating the severity of security vulnerabilities in software. It is application and vendor neutral, enabling an organization to score its IT vulnerabilities across a wide range of software products -- from operating systems and databases to web applications -- using the same scoring framework. Why do organizations adopt CVSS?Historically, vendors used their own methods for scoring software vulnerabilities, often without detailing how their scores were calculated. This created a conundrum for system admins: should they fix a vulnerability with a severity of "high" first, or one with a rating of 5? To address this problem, the US National Infrastructure Assurance Council (NIAC) developed CVSS to simplify the generation of consistent scores that could accurately reflect the severity and impact of vulnerabilities to a specific IT environment. Being an open framework, organizations have full access to the parameters used to generate scores enabling everyone to have a clear understanding of the rationale and differences behind any vulnerability scores. This makes it easier for security teams to gauge the impact of the vulnerabilities on their systems and prioritize which vulnerabilities to fix first. CVSS can also help organizations to meet the security requirements of various standards: For example, the presence of un-patched vulnerabilities with a CVSS score of 4.0 or higher has an adverse impact on PCI compliance. CVSS has been widely adopted and is used by the Department of Homeland Security (DHS), Computer Emergency Response Team (CERT) and many others. Organizations such as Cisco, Qualys, Oracle and SAP generate CVSS scores to communicate the severity of vulnerabilities found in their products. Software developers can also use CVSS scores to prioritize security tests to ensure known serious vulnerabilities are removed or mitigated during development. History of CVSSThe CVSS was introduced in 2005 by NIAC, but the international Forum for Incident Response and Security Teams (FIRST) now owns and manages it. FIRST sponsors and supports the Common Vulnerability Scoring System-Special Interest Group (CVSS-SIG), which is made up of various organizations and individuals who help promote and refine the framework. CVSS-SIG provided most of the research and feedback on the initial design of CVSS and helped test and refine the formulas used in later versions. CVSS versionsCVSS v2 was released in 2007 and was seen as a significant improvement over the original version, reducing inconsistencies, providing additional granularity and more accurately reflecting the true properties of IT vulnerabilities despite the wide variety of vulnerability types. CVSS 3.0 was released in June 2015 and introduced scoring changes that more accurately reflected the reality of vulnerabilities encountered in the wild, such as the privileges required to exploit a vulnerability and the opportunities it gives an attacker who successfully uses it. The most recent version is 3.1, released in June 2019. Vulnerability metricsA CVSS score is a derived from scores in three metrics groups, Base, Temporal and Environmental, that cover the different characteristics of a vulnerability, including its impact and environmental endurance over time. The Base group is made up of six categories, the Temporal group of three values, and the Environmental group is made up of five categories. Base metricsThe Base score is the metric most relied upon by enterprises and deals with the inherent characteristics of a vulnerability, that is, the ones that don't change over time or due to a user's environment, such as the degree to which a vulnerability could compromise the confidentiality, integrity or availability (CIA) of the system. It is made up of two sets of metrics. First are the Exploitability metrics:
Second are the Impact metrics:
Temporal metricsThe Temporal score measures aspects of the vulnerability according to its current status as a known vulnerability, so represents the properties of the vulnerability that do change over time, such as the release of an official patch. It also includes the Report Confidence metric, which measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details demonstrating that a vulnerability is both real and exploitable. These metrics can decrease or increase the base score, for example if a patch or workaround becomes available, or the vulnerability is validated by the vendor. The complete list of Temporal values is:
Environmental metricsThe Environmental metrics enable an organization to refine the Base score to its own environment by measuring the severity of the vulnerability adjusted for its impact on individual systems. These metrics provide real context for vulnerabilities within an organization as the business criticality of the asset, identification of mitigating controls and use of the asset in question can all be considered. The full list of Environmental metric categories includes:
How scoring worksA CVSS score can be between 0.0 and 10.0, with 10.0 being the most severe. To help convey CVSS scores to less technical stakeholders, FIRST maps CVSS scores to the following qualitative ratings: 0.0 = None 0.1-3.9 = Low 4.0-6.9 = Medium 7.0-8.9 = High 9.0 - 10.0 = Critical The Base score is mandatory while the Temporal score is optional, and both are provided by the vendor or analyst. The Environmental Group score is calculated by the end user and is also optional. The only requirement for categorizing a vulnerability with a CVSS score is the completion of the Base score components -- the Exploitability subscore, the Impact subscore and the Scope subscore. These scores are used to calculate the overall base score using a formula that weights each subscore. The Temporal score is calculated by multiplying the Base score by the three metrics within the Temporal metric, while the Environment score is a more complex calculation with the five metrics being used to recompute the Base and Temporal scores to give a more accurate evaluation of the severity of a vulnerability in the context of the way that the vulnerable component is deployed. CVSS vs. CVECVSS is not a vulnerability classification system like CVE (Common Vulnerabilities and Exposures), which is a unique identifier for each vulnerability listed in the NIST NVD (National Vulnerability Database). CVE identifiers are in the format CVE-[4 Digit Year]-[Sequential Identifier]. So, for example, the CVE for the Heartbleed vulnerability is: CVE-2014-0160. CVE does however use CVSS to provide an indication of the severity of each CVE and FIRST's qualitative ratings based on the CVSS base score are provided for each CVE vulnerability. CVSS calculatorsPublicly available CVSS scores are Base scores only, so they represent the severity of a vulnerability, but not whether a vulnerability poses a risk to a specific IT environment. A CVSS calculator is required to calculate the Temporal and Environmental scores for an organization's own environment. There are free CVSS calculators provided by FIRST, NIST and CISCO, while ImmuniWeb has an online calculator to calculate a CVSSv3 Base Score for vulnerabilities in web applications. Which one of the CVSS metrics would contain information?Which one of the CVSS metrics would contain information about the number of times that an attacker must successfully authenticate to execute an attack? C - Au. The authentication metrci describes the authentication hurdles that an attacker would need to clear to exploit a vulnerability.
What is the most recent version of CVSS that is currently available?While many utilize only the CVSS Base score for determining severity, temporal and environmental scores also exist, to factor in availability of mitigations and how widespread vulnerable systems are within an organization, respectively. The current version of CVSS (CVSSv3. 1) was released in June 2019.
How are vulnerabilities discovered?Some vulnerabilities are discovered by 'white hat' security researchers, who usually report the issue to the software vendors through established bug bounty programs (such as our Vulnerability Reward Program). Others are found by attackers, who put their discoveries to more harmful use.
Which one of the following is not an example of a vulnerability scanning tool?Which one of the following is not an example of a vulnerability scanning tool? B: Snort. QualysGuard, Nessus, and OpenVAS are all examples of vulnerability scanning tools. Snort is an intrusion detection system.
|